“The medical field is rife for threat actors trying to take advantage of things, much like when it's tax time and you hear the latest IRS scam. That goes on a lot within the medical field. There are threat actors that impersonate DEA agents and try to gain access to everything from DEA numbers to prescription pads. Visiting the FBI website, they have a page dedicated to different scams out there and there's a couple that live persistently in healthcare that we make that we make sure our clinician side is aware of.”
In this episode, Rob and Stan talk to Louis Lerman, VP and CISO of Pediatrix Medical Group. Lewis has an extensive information security background. In addition to healthcare, Louis has supported government, defence, education, software development , financial sectors. In fact, prior to Pediatrix Medical Group, he served as the CISO of the Deloitte Consulting Group and also as Information Security Officer at the International Monetary Fund.
Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com
“The medical field is rife for threat actors trying to take advantage of things, much like when it's tax time and you hear the latest IRS scam. That goes on a lot within the medical field. There are threat actors that impersonate DEA agents and try to gain access to everything from DEA numbers to prescription pads. Visiting the FBI website, they have a page dedicated to different scams out there and there's a couple that live persistently in healthcare that we make that we make sure our clinician side is aware of.”
In this episode, Rob and Stan talk to Louis Lerman, VP and CISO of Pediatrix Medical Group. Lewis has an extensive information security background. In addition to healthcare, Louis has supported government, defence, education, software development , financial sectors. In fact, prior to Pediatrix Medical Group, he served as the CISO of the Deloitte Consulting Group and also as Information Security Officer at the International Monetary Fund.
Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com
Stan Wisseman:
Louis Lerman, is VP and CISO of Pediatrix Medical Group. Lewis has an extensive information security background with broad familiarity with a variety of different industry sectors. He, in addition to healthcare, Lewis has supported government defense, education, software development , financial sectors. In fact, prior to pediatrics, he served as the CISO of the Deloitte Consulting Group here in the US and also served as information security officer at the International Monetary Fund.
Louis it's great to have you with us today. Is there anything else you'd like to share with your background with our listeners?
Louis Lerman:
No. It's, it's great to be here. He about summed up my background,
Stan :
guess we got to know each other at Booz Allen. Years and years ago and had a chance to interact with you again at IMF and it's great to have you on board. I know we, you have a lot of different touchpoints for these different sectors, but we wanna focus obviously on healthcare given your current role.
And one aspect of this is obviously how the healthcare sector has had to evolve given the pandemic, right? It's, it significantly altered the status quo, and in some ways it accelerated, right? Some of the trends the use of telemedicine remote care and how they can leverage cloud services more effectively.
Some clinical innovations have, and I guess one of the questions I have for you as health systems and hospitals have adapted to this new reality, do you have examples of how cybersecurity has enabled these kind of evolving changes to occur and do it in a secure fashion.
Louis:
Absolutely. I think you raise a good point, Stan.
Like every industry out there, healthcare especially had to evolve during the pandemic moving to not only a remote workforce for sort of corporate users that are involved in healthcare like myself. But our frontline workers, our clinical workers , as you mentioned telehealth became a big thing.
Doctors obviously live and breathe by, examining their patients for the most part, in a very simplistic sort of way of saying it, having that interpersonal interaction with them, being able to touch to see, to observe, everything. Especially, in the the sector that we're in pediatrics, revolving around, women and children a clinician being able to be in person with a, a baby to take measurements, height, weight head circumference.
Those are big things. And moving to a telehealth paradigm was a big shift. Having to enable doctors to be able to perform the same tasks, but in a, obviously in a very remote setting. And in some cases where the clinic, I've heard stories of clinicians, instructing sort of the parents on how to take those measurements so that they can relay those, that information back to the doctor.
In the end, they probably had to do that cause they, they weren't there be able to do this themselves. Yes, and especially a lot of our clinicians that are involved in such early stages of development of children, measurements are a very big part of, a patient record monitoring, a child's growth, monitoring a child's weight.
Certain measurements that are kept tab on to make sure that the, a child is developing at what, I would refer to as a normal rate of development. And, enabling those clinicians in a remote setting obviously became a very big part of what we do, not only from security, but in it in.
And one of the things that we look to do, you know here, especially at pediatrics, we have undergone re-architecting internal application that we use to keep record of all those measurements that we talked about from an old client server architecture where a lot of our clinicians that are in, either in office settings or in hospital settings, use this application to maintain some notes.
Being able to re-architect it from a client server architecture to a cloud-based architecture has helped with that remote work. Being able to access it from wherever they are and keeping it secure, has been big effort, a big challenge for us. And on top of it, we're un we're seeking what's known as the High Trusts accreditation.
So high trusts is the sort of health equivalent of FedRAMP. If I may where we undergo a third party audit around this application that we use and we'll be able to test controls from an outside perspective, making sure that we're doing certain things that we have certain security posture enabled.
And then once we able to achieve that, we'll be able to fly that banner, which will help enable that piece of the business to be able to go into different hospital settings, go into different partner settings and let them know that, hey, we've tested this, from a third party perspective. Cuz obviously no one wants to hear me say it's secure.
They wanna hear somebody else say it's secure. And knowing that we get that accreditation it'll make it easier for us to go into the hospital, go into partner settings and use that system.
Rob Aragao:
So Louis, on that kind of thinking as it relates to the high trust certification that you've gone through the process of, and you mentioned a bit about how it does serve as actually an enabler for pediatrics, right?
And I take that a step back, so maybe you can compare and contrast for the audience, what were you seeing maybe prior to some different services capability that your organization was delivering that maybe weren't high trust certified yet versus after the fact?
This it, I think that element of trust is the key portion of it, is that the people on the other side of it, whether it's other third parties or the actual patient on the other end, have the understanding that there has been a third party in place to validate and verify that the security elements and control mechanisms, as you mention are actually in place. So therefore you should be able to trust that kind of communication and engagement with someone like pediatrics.
But again, if you compare and contrast were there certain services that you guys were not necessarily able to launch until it was high Trusts certified, or how does that kind of work?
Just so people understand it a little bit better.
Louis:
to be clear, like we were able to perform these services before, it's just that every time we went to engage with a partner, for example, a core piece of our business is to provide services in hospitals that hospitals now basically take bids on for different providers like us to do those services in a hospital setting. So this application that we use in the past, every time we partnered with a hospital group, like HCA, every time every individual hospital would come at us with, okay, you guys wanna use this application, what's the security around it?
And of course, their security team would come and want to do a full-fledged security assessment and our team would have to put together all these different answers, different testing, technical type testing to show that the security was there and it would have to be done on a one by one basis.
Yeah. All this one-off, one by one work. Where now we take that same sort of test that every hospital wanted to do. We put a wrapper on it from a central testing thing, get a third party to do it. Get this as its own, the high trust accreditation. So just to be clear, we're going, we're taking this high trusts journey now.
So there's what. I would consider three phases to it. There's a readiness assessment, which is a drive through run of an actual audit that will identify certain gaps, and then there's the remediation phase where you remediate said gaps identified. And then there's the audit phase. We're currently in phase two, so we're remediating some issues that were raised to a readiness review that we had done.
To get us to a level where we'll be able to, get the high trust accreditation and maintain it. A lot of what we're going through is policy and procedure type remediation work. And then once we go through the audit, theoretically we should be able to pass that audit and have the high trust accreditation. So now when we go back to these hospitals or to re-up a contract or to win new work, we can go in saying, Hey, we're high trust accredited. And that should eliminate, those one-off audits,
Rob:
you just hit a key point, which is also as you're going out to compete for new business, that really should serve as a key differentiator, right?
They I assume at some cycle Exactly. They actually eliminate some of the competition.
Louis:
Precisely. We are probably the largest provider of what we do. It will help to separate us further from our competition to show that, look, pediatrics, take security seriously. Since I've joined two plus years ago, I've been able to sell my program to my leader.
To get the investment needed to stand up to modernize, the security program here at Pediatrics.
Stan:
Hey Louis, it may be related to this kind of high trusts certification of services, but it may be distinct. I wanna pivot to medical devices and how, the medical device manufacturers and hospitals have ajoint responsibility to try to protect these devices from threats, cyber security threats specifically, and they have to work together. But while there's that recognition of shared responsibilities there continues to be sometimes some finger pointing. As far as, who has the responsibility in this case, who does what as far as the protection and ultimately the danger is that the patient could be impacted, right? By a cybersecurity attack on a device that may be outdated or unprotected. So what's your take on this, and is it also under that high trusts certification or is it distinct from that?
Louis:
It's distinct. Again, further to clarify, high trust is, think of it as for those out there in the, listening that are in the government space it's like FedRAMP. FedRAMP is a program, an accreditation that takes into account certain controls under that government agencies can look to that are tested from an independent perspective. So for simple example, all the major cloud providers, when you look at Google Cloud, Azure, which is Microsoft's offering, or Amazon Web Services, they all have FedRAMP tenants.
So FedRAMP tenant is accredited for use by the government, the non DOD or the public service agencies. And they have, again, they have a, they are part of the FedRAMP marketplace and government agencies can go in there knowing that they have been tested and that the controls are there to fit the security posture that they want.
So that's a high trusts, to me, that's what high trusts is looking to do for medical or healthcare sector. It's, when you look at the, again, from this cloud perspective.they have most, they all have high trust tenants that you can go into that have a certain amount of level of control in there, so that they should map to a security posture that a healthcare organization is looking for.
But it is distinct from Internet of Things, as you mentioned. the different medical device companies. I look at that as that's something that my me and my team needs to worry about, for example, dealing with some of the medical device manufacturers, medical device companies, they implement security on their devices, on their software, whatever, from their perspective.
And I would say a lot of times that's, to me, it comes in conflict with what I would consider the right security setting o not what we would want to see. It needs to be, you think it's more supplemented with other controls.I think, I don't wanna say more open.
It's just not the way I would do it if that makes sense. For example, like there's There was a vendor we were dealing with where we wanna change how we architect it in our network. The way they do multifactor authentication is they do it through email as a second factor. To me, and I would say most security practitioners are out there, email is not a secure second factor.
So they do have it in their roadmap to integrate with different oken providers such as like we, such as like Microsoft Authenticator, Google Authenticator, where you have a true second factor. But it's, we have to work with those vendors to again, use what they provide, but also layering on different security mechanisms so that brings it up to a. What I would say a more rigorous standard in our environment.
Stan:
Rob and I had a chance to speak to the product security manager or director at Siemens for their healthcare related medical devices. And, we were impressed by what they're doing at Siemens, but I guess from your perspective, you don't know what each manufacturer is gonna be doing.
Louis:
It's and again, and I don't wanna give the impression that they're not. Because again, they are putting in security that they see from their perspective. And I say that because you have a, look at Siemens, like a massive organization. They're building products that are used by hundreds of different healthcare companies.
Realistically, they can't build a hundred different security mechanisms into it, right? They have to build their products with a certain architecture in mind, with a certain way of use in mind. Now obviously there's gonna be organizations in there that wanna do things a little different and wanna try to do things, whether it's from an architecture perspective on how that, that product senses in that healthcare provider's environment and how the different users interact with it.
And that can cause challenges. And again, that's where I see like the challenge of where, how we fit it into our sort of ecosystem and how the vendor intended it to be used. And sometimes those aren't the same. And that's where we as the security practitioners have to find a way to make it work and make it work securely.
Rob
Got it. Yeah. And that makes sense, right? Because to your point, they're going to market with a specific capability and they have to service at scale, but then when they're engaging with each of the different customers, you are self included. You provided 'em feedback. For the most part.
Louis:
They do take that feedback and like they try to take, recommendations and put it into their product roadmap.
Rob:
No, that makes sense. Let me pivot a little bit, Louis in more so in the areas now of, what we've been seeing around data breaches and ransomware, and obviously challenges for everyone, but especially it's been challenging for the healthcare vertical as a whole.
In the past several years we've seen in growing number of hospitals and healthcare organizations that have faced cyber attacks, interrupting the care and service, putting patients at risk. So that's a big, big concern. Obviously, and you even mentioned it earlier around safety being a major element of the program to take into account.
I wanna get your perspective and sharing again with everyone, what are you seeing out there? What are some of the kind of key areas that whether it's specific to the way you look at it, or even as part of kind of the greater, part of collaborating with the ISACs and other people that come in and saying, oh, these are the things that we're doing, or the things that we shall all be considering to do.
Just share what you're seeing out there that's helping make some positive movement in that direction of better securing and providing safety.
Louis:
Sure thing. Yeah. Great question. Ransomware definitely top of mind when it comes to vulnerabilities or exploits that are used by threat actors out there.
I think for me, one of the key factors that I brought when I joined pediatrics it was the creation of a cyber threat intelligence function. So one of the guys that I had on the team that I inherited, I identified as someone that I thought controlled that role in, in a good way. I proposed it to him and he accepted it and he has quite frankly, run with it.
Part of what he does is monitoring different threat feeds, different threat channels for information. We did join, as you mentioned, the ISAC We joined the HISAC the Healthcare Information Sharing Analysis Center, which we are active members of now and have been for the last two years. We take part in sharing not only things that we're seeing, but definitely glean information from there on a regular basis.
We look to sonstantly pull, the HISAC for different information. We use it as a valuable source of threat intelligence feed to feed into different technical things that we're doing, whether it's with our SIM or our firewalls. And it is a valuable, highly valuable source of information.
One of the products that we put out to internal is a threat intelligence briefing that's done on a biweekly basis. And my threat intelligence officer has the purview to go out and, send this to our executive team as well as to our level one, level two management layers. So that information is shared from not just within IT but also to the business as well, to make them aware of some of the things that we're doing, some of the things that we're seeing, and that intertwines and feeds into all different programs within pediatrics.
From our awareness program to our patch management capability, threat intelligence is a very well received effort and function here at pediatrics.
Stan:
So you're raising the visibility of some of these threat actors and their activities and campaigns and how they potentially could impact the organization and then also what you're doing about it.
Louis:
Absolutely. Because it's not just the pediatrics IT environment proper. it's a lot of like individuals not just you know, from IT or the CEO but clinicians, the medical field is ripe for threat actors trying to take advantage of things, much like when you know it's tax time and you hear the latest IRS scam that goes on a lot within the medical field. There are impersonators threat actors that impersonate DEA agents. To try to gain access to everything from DEA numbers, to prescription pads, visiting the FBI website there's a, they have a page dedicated to different scams out there. And, there's a couple that live persistently on in healthcare that we make sure our clinician side is aware of.
So that they're, educated on these types of calls that they may receive.
Stan
Maybe related to some of these in enhanced threats that have targeted the healthcare sector, NIST has updated cybersecurity guidance for healthcare, and they have that new HIPAA security rule draft, I think that was released in July, and the public comment period ended in October.
It's the NIST 866 revision two. Have you had a chance to look that over and do you have a perspective on this draft and the changes they're recommending?
Louis:
So I haven't had a chance to look that over. But we do use NIST as our cybersecurity framework. And with that revision we do want to shift to, specifically in this NIST 866 as our official framework that we use for risk management internally from an IT security perspective.
Healthcare is definitely one of those things now that has attention. Especially when you look at going back to ransomware, all the ransomware attacks, that have gotten out there. Earlier this year, we had the first death attributed to a ransomware attack. There was a hospital that felt victim to a ransomware attack and they actually had a transfer of patients out, and unfortunately, one of the patients that they were transferring out unfortunately passed away.
It is an unfortunate by product of what these attacks can do, and I think it's made people aware that it's more than just money . We're dealing with people's lives.
Stan:
It interrupts the way in which you can do business and help provide care to patients, and in some cases that could result in harm to these patients.
HIPAA
Healthcare is one of the critical infrastructure paradigms. When you look at the CISA Curriculum Infrastructure Security Agency, the listing Healthcare is one of them. That goes to show it's not just, power, energy . Healthcare is right up there as well.
Louis:
Again, to your point it's an element of safety.
It's an element of reality with this example of human life being impacted, which again, anything critical infrastructure tends to map back into, as you mentioned, if it's nuclear, it's energy related, right? Those are all elements of what it can actually be as a major opener. It's unfortunate that occurred as an incident. Hopefully people are moving in the right direction. It sounds like they are. Louis, you came on and did a great job in explaining to us in the audience, I think you know, of different elements just in the short two and a half years you've been there, by the way, at pediatrics on the importance of high trust, specific to the vertical around healthcare.
And what that means as a business enabler, the elements of the things that you're dealing with on a daily basis, on, the kind of new innovations around medical devices and where that's going. And also I love what you've done with the threat intelligence aspect of, how you've actually operationalized it in your program, but reality is you've elevated it to the level where it needs to be understood at the executive tier with visibility awareness as to these are the things that our teams are actually dealing with. This is what we feel it as an impact to us as operating our business and ensuring that they're well aware of it ahead of time. As much as possible of course. And I think that visibility continues to strengthen the collaboration and partnership that you've been able to establish there with pediatrics with the executive tier.