Identity, AI, and the Unseen Threats in Healthcare Cybersecurity – with vCISO Jason Taule

IoT Security Podcast – Featuring Jason Taule, vCISO
Hosted by James McCarthy, Director of Sales Engineering, Phosphorus

As the frequency and sophistication of cyberattacks escalate, healthcare continues to face some of the most persistent and complex security challenges. In this episode of the IoT Security Podcast, returning guest and veteran vCISO Jason Taule unpacks the current state of healthcare cybersecurity—and why the industry needs a new model for collaboration, visibility, and device-level identity.

From 300 to 5,000 Events Per Second

After decades in the security space, Jason has seen attack volumes shift drastically. “As of about eight or nine months ago, the number of events that we were seeing per second hit our environment were in the, in the hundreds, two to three hundred events per second,” he explained. “Then something changed and we started seeing upwards of 5,000 events per second.”

What caused the spike? “That’s when the bad actors started adopting AI and really using it to attack us,” Jason said. “If you’re being attacked at Internet speed, you have to be prepared to respond at Internet speed.”

Why Hospitals Are at a Disadvantage

Healthcare, Jason notes, is unlike other critical infrastructure sectors. “The healthcare sector is the only one that I know that has this mandate… that says you must continue being able to provide care to patients, even in the complete absence of power and your tech stack.”

This operational imperative limits the security investments hospitals can make. “If I got a dollar, what do I do? Do I deliver better care or do I deliver something that helps me manage the care I deliver or keep those systems up?”

One Industry, Multiple Sectors

Jason cautions against treating healthcare as a monolith. “We talk about the healthcare industry as though it’s one thing. It’s definitely not,” he said. “We may be subject to some of the same regulations… but when it comes to the regulations and how you achieve that balance… it has to be tailored to the needs of the organization.”

Solving the Wrong Problem

The conversation also touches on regulatory misfires. “Only two of the top 25 [breaches] were hospitals,” Jason pointed out, referring to the Department of Health’s “wall of shame.” “If the other 23 were not hospitals, then this is not a hospital problem. So don’t try to solve it on the back of hospitals alone.”

Why Device Identity Matters

On the issue of unmanaged xIoT devices in healthcare, Jason is clear: “Why am I evaluating the security of that product? The company that made that product is selling it into a highly regulated sector that is known for being the one or top that is most attacked.”

“If that vendor did some sort of security vetting, they would only have to do it once and then everybody else would be able to avoid the duplication of that effort.”

Listen to the Full Episode

From the risks of fragmented regulation to the need for automation in credential rotation, Jason’s insights offer a pragmatic and urgent roadmap for healthcare cybersecurity leaders.

Want to strengthen your healthcare security posture?

Explore how the Phosphorus Unified xIoT Security Management Platform helps leading healthcare providers automate remediation, rotation, and firmware updates for every Cyber-Physical System.
Read our healthcare solutions brief or request a demo.

Episode Transcript

Jason Taule: When it comes to the ability to control all this and avoid the data compromise or breach or unwanted access, um, I think we need to take a look at how we’re managing that because that’s not something that most healthcare systems currently have a process for detecting.

James McCarthy: Hello everybody. This is the IoT Security Podcast. I am M. James McCarthy, the Director for Sales Engineering at Phosphorus I, and today I really want to talk about healthcare and the criticality of devices in delivering healthcare outcomes. I’m joined today by Jason Tal, who’s got a strong background in experience with customers as a vciso in different areas like manufacturing, healthcare, agriculture, and government. Thank you, uh, for joining, Jason, and welcome to the show.

Jason Taule: Good to be here.

James McCarthy: Yeah, excellent. We have, uh, quite a few good topics to, uh, dive into. Some, some great conversations I’m sure we’ll have here soon. Uh, but before we get too far into the weeds, you want to give us just a quick, uh, intro into who you are and your background.

Jason Taule: Sure. Um, I recently was at a security conference where I had an opportunity to interact with a bunch of people in the industry. And I was told that I am the most entertaining and terrifying person that that individual had ever met. It’s, uh, not me per se. It’s because of the subject that I work with. Right. Cyber. Um, I’ve been in cyber since before we started using that word. I got my copy of the rainbow series in 1986. Um, and I’ve had the very good fortune of working with and for some of the best teams in the business. And everything that makes me a quote unquote expert is, uh, largely because of those teams. Uh, it also has to do with a little bit of luck about being in the right place at the right time when certain events in history happened. And, um, I was able to take advantage of those opportunities and accomplish some good things and help move the industry forward.

James McCarthy: Excellent. Yeah, thank you for that. So one of the big topics we’ve been talking about here, at least at Phosphorus lately, and something I wanted to dive into with you, is around just healthcare in general. It’s, uh, one of the hardest hits hit, uh, sectors by threat actors. Uh, and so if you could give me a little info on how the industry is reacting in response to the rise in attacks targeting the IoT and OT systems, but particularly those kind of life critical medical devices that are sitting on those networks.

Jason Taule: Yeah. So after 9 11, we officially established 16 critical infrastructure sectors. They’re, um, not all as critical. I, uh, think we all know that we need power and food and water Those are pretty important. And then probably next up, you know, banking and health care, Um, I don’t think people appreciate when you said the rise in attacks. One of the metrics that we, or, uh, several of my customers in this space capture is events per second. Um, as of about eight or nine months ago, the number of events that we were seeing per second hit our environment were in the, in the hundreds, two to three hundred events per second. Um, then something changed and we started seeing upwards of 5,000 events per second. Um, that’s a 1,500% increase. And I attribute that, I don’t know for certain, but I attribute it based on the timing when you see that. Because it wasn’t that the EPS mattered, it was if we were going to see something substantially different from what was normal, we would use that as an indication of some anomaly. And the anomaly was that that’s when the bad actors started adopting AI and really using it to attack us. And the key point there is if you’re being attacked at Internet speed, you have to be prepared to respond at Internet speed. The healthcare sector, according to several of the industry reports, is the number one most attacked sector. Now why would that be? Well, I can tell you a bunch of reasons why. Um, probably the biggest reason is the challenges that the health care industry faces. And I want to take a point, um, take a moment and make this first key point. We talk about the health care industry as though it’s one thing. It’s definitely not. We have organizations that are in the insurance business that provide. They’re the payers, right? They really get risk because that’s really the risk model. It’s the insurance business. Then they’re the providers, they’re the ones that are most challenged. And I’ll explain why in a second. You’ve got device manufacturers, they’re really more in the manufacturing space. And then you’ve got pharma and other people that do research. We act as though we’re one industry. We’re not. We may be subject to some of the same regulations. We certainly have to participate and interoperate and interconnect as part of a shared ecosystem and we sink or swim together. But when it comes to the regulations and how you achieve that balance, because cyber isn’t one thing, one size fits all, it has to be tailored to the needs of the organization. So unlike, um, every other critical infrastructure, the healthcare sector is the only one that I know that has this mandate, especially for the providers, that says you must continue being able to provide care to patients, even in the complete absence of power and your tech stack, I can’t think of any other industry that does that. Right. I don’t know if you saw this movie that was on TV recently, this Netflix series called Zero Day where there’s this worldwide outage for about a minute, but it affects everything from railroad crossings to banks. People can’t get cash out. It creates this rather catastrophic series, uh, of events. Imagine if the bank still had to be able to allow you to get money out even without the ATM or power. I’m not sure how they would do that. Well, it’s the same question. So how does the hospital do that? And that mission really is commands a lot of the resources that in another industry you would put towards cyber. Because if I got a dollar, what do I do? Do I deliver better care or do I deliver something that helps me manage the care I deliver or keep those systems up? Um, it also means that many of the techniques and strategies that organizations in other sectors are leveraging to fulfill their missions. We have a challenge. I can’t necessarily put everything in the cloud. I would love to. The cloud itself is designed with resiliency in mind. High availability clusters, you know, pairs that are load balanced, multiple locations. But when people kind of forget why we invented the Internet, I was on arpanet before Al Gore’s famous I invented the Internet, which was the legislation that made it commercially available. We invented the Internet because we became concerned that these computers which were increasingly serving very important purposes, what if they weren’t available? What if we took an inbound nuclear strike? So we distributed it, we decentralized it, but in doing that, we did not get rid of the single points of failure. You still have failure in DNS, you still got single points of failure in key data centers or a lot of the other infrastructure that’s involved. So that’s a hampering condition that affects the hospital system. So how are we reacting, was your question? Um, not well, number um, one, not everybody in the industry recognizes the same thing because they don’t suffer the same impact. We all had an effect change, uh, healthcare. When that event happened, I think most of the listeners will understand what that was. But when that happened, it affect us all, but it didn’t affect us all the same way. The insurance companies didn’t have to pay claims, they had already received premiums. And I’m not disparaging them, they already had their inbound revenue, they didn’t have to pay it out. If anything they were sitting in a better position than before the attack. Whereas Hospitals, many of them had to resort to short term loans in order to make payroll because it was a cash flow issue. We ultimately knew that the claims would get reconciled, but in the interim, how do you do things like pay your vendors and pay your, pay your personnel? So that was a big challenge. I think the reaction now is that we have to solve this as an ecosystem. We know the bad guys collaborate. We on the good guys side, we have to collaborate as well. And let me just give you one example. So whenever, and this is where phosphorus kind of comes in, I have several of my customers that have been put into this tool because many of us kind of ignored the OT components of our tech stack. Uh, shame on all of us for allowing that to develop in parallel without it being as well managed as it. So in the medical space, we’ve got all sorts of medical devices, we’ve got, uh, bioengineering devices, etc. That all serve good purposes, but they’re on the network and if they’re not on a separate segment, I’ve got to do an evaluation. The security team has to do an evaluation to say, is this introducing risk? What does the product do, uh, how does it do it, what kind of data is it used, how does it protect it, et cetera. Well, why am I evaluating the security of that product? The company that made that product is selling it into a highly regulated sector that is known for being the one or top that is most attacked. I should only be evaluating it for the fit within my organization. Does it meet my culture, does it meet my technical architecture, et cetera. If that vendor did some sort of security vetting, they would only have to do it once and then everybody else would be able to avoid the duplication of that effort. Whereas I’m already down in terms of availability of resources and time, and I’m having to misspend those limited resources doing something that’s not necessarily in the industry’s best interest. So that’s what I’m saying when we’re reacting not well. Um, second, let’s not forget that this event, the event of change, Healthcare in that case or other events, Baxter Asheville and we can talk about the impact that that had came shortly on the heels after Covid. Covid was a wake up call for a lot of organizations, but for hospitals, remember that we, those, those hearers that provided care to people in a healthcare setting, we were only doing emergent procedures, all the elective stuff, if it could wait. We didn’t want to expose people to disease. So it weighed it well what that meant is a lot of those elective procedures is where hospitals make their money. So we had fixed costs, we had staff that had to get paid, we had facilities costs, et cetera, and we didn’t have the revenue come in. So hospitals across the nation were underwater and we’re just now recovering from that. And then to further compound the situation, in many different states, there are actually insurance rate commissions that set the prices that a hospital can charge for their services. So imagine yourself as an executive in a business where if your costs go up, remember we have an inflationary economy secondary to all the checks that we wrote to keep the economy alive because of COVID which was the right thing to do, by the way. But eventually that had an inflationary effect on food prices, labor, all the many things that a hospital uses. And yet I can’t adjust the fees and the rates that I charge for my services. You would never want to be so hamstrung. And yet we wonder why this is such a problem. Now the other thing that I want to call attention to is, having described that this is multiple sectors, not one industry as a whole. We work together, but really multiple sectors. I think a lot of the regulators and legislators think it’s the hospitals, they’re to blame. Let me just point you to one key fact. If you look at the so called wall of shame, the Department of Health maintains a list of all the big breaches. Over 500 more people on the OCR list, the top 25 there, only two of the top 25 were hospitals. Said we’re one industry. If the other 23 were not hospitals, then this is not a hospital problem. So don’t try to solve it on the back of hospitals alone.

James McCarthy: Yeah, makes sense. Yeah, it’s a huge industry, a lot of interconnecting parts. And unfortunately, I think a lot of the time we try to apply kind of generalities or single rules to try and protect everything. When uh, the reality is you have to almost be bespoke. You have to kind of provide and solve for the problems uniquely, uh, where they, where they exist. That’s a great segue into what I think is another interesting topic because we see it a lot of the times in private industry where, you know, the, the technology is outpacing the regulatory body that’s kind of trying to govern that. Right. And in health care that’s especially true. You’ve got a lot of, of regulation around patient health data. But what are we seeing in terms of uh, our, our states starting to kind of manage their own regulations around this, you see a lot of stuff from California and some other states, or is this going to be something that’s solved at the federal level or even maybe an international level?

Jason Taule: Well, I think first we have to take, um, um, the uncertainty surrounding the current administration’s, the value that they see in regulation. Let’s just take that off the table. Right. Um, I’m not a fan of additional regulation, but, uh, when the government is going to regulate something, I think it should serve a purpose and it should fit the need and it should accomplish what it set out to accomplish. So federal efforts, uh, in the last months of the Biden administration, HIPAA2 got proposed, uh, and it does contain some rather substantial, uh, enhancements and, uh, it would carry some additional costs. And I think that many of the, uh, organizations that represent the healthcare industry are voicing an opinion that it’s not well conceived and maybe you should reconsider it. And I don’t think that the Trump administration is going to have a problem with that. There, um, are many people though, that said no. This was a bipartisan effort. It was put together, uh, with the input of both sides of the aisle. And there is some merit here and it’s long overdue and we need it and we should have more regulation. The question you asked is, uh, what are the states doing? And I think this is the classic states rights debate that we’ve had for decades. When the Fed doesn’t do something, I think many states believe it falls to them to take care of their constituents. And in this case, all of our regulators, our legislators are seen, they need to be seen to be doing something about the problem. Okay, but if you’re going to do something, at least make it so that you’re helping avoid a recurrence of this problem. So HIPAA 2 came out, but let’s back that up. So we’ve had HIPAA in place. The law was passed in the late 90s. The final security rules and privacy rules came out in the early 2000s. But there are many healthcare organizations that to this day still aren’t compliant. Well, why is that? And the government was asking the same question, why is that? And we, for many of the reasons that we’ve already discussed. So then they came out with section 405D, which says, okay, of HIPAA, uh, this is the subset that really matters, at least do that. And then we still weren’t doing that. So then they came up with an even shorter set called the CPGS, which was kind of these core set of 10 required and then 10 enhanced things. A total of 20 things. If you do that, at least you’ll help. And still there are many organizations that aren’t doing that. And again, if you aren’t addressing the root cause, it’s not that hospitals don’t want to do this or don’t need to do this. And certainly when you look at the impact of events, it’s certainly, we know it’s true. It’s always been true, and it will continue to be true, that it’s pay me now or pay me later, and it’s cheaper if you make the investment upfront. The problem is, it’s a cash flow thing. I’ve got competing priorities. The CFO can’t give you money we don’t have. So I think the legislators heard that and they’re trying to come up with a bit of a carrot in the stick approach. The problem is sometimes the carrot really isn’t a carrot. It’s, we’re going to give you the full carrot we already promised you. And if you don’t do cyber, then we’re going to treat that as a stick and not give you the carrot you otherwise deserve. I think some of the states that are doing something right are looking at, how can I provide an affirmative defense?

If you align yourself with a framework and you implement good practices, and then something happens. Because keep in mind, if you’re. Even if the organizations that are 100% compliant with even the most rigorous frameworks can still be breached, because there’s a big difference between compliance and security. Right? Well, wouldn’t it be nice? Because, uh, let’s put this way. I belong to a roundtable. Ciso. Uh, roundtable. And, um, we get briefed by one of the K Street law firms down in D.C. um, and the last session I went to, um, the lawyer asked an interesting question that nobody in the room really could give a good answer to, and he said we’re all supposed to do what’s reasonable and appropriate. Now, that’s not just specific to health care. That, that, that kind of language is in a bunch of security rules. Who gets to decide what’s reasonable and appropriate? That’s a great question. Is it the people that created the law? You might think that, but no. Oh, it’s the people that enforce the law. No, wrong again. Is it the people like you and me that have the technical, uh, savvy to understand what’s actually doable, that that should be what decides reasonable? What’s reasonable? Appropriate. But no, it’s the 12 men and women who aren’t smart enough to get themselves out of jury duty. They’re the ones that get to decide. Right. Just, just ask the folks after the solar Winds, uh, settlement from earlier this year. And unfortunately they don’t have the technical sophistication to understand what’s really able to be done with respect to cyber, what the state of the art is, what the threat actors have in terms of their technology, or what the resources are that a hospital or others in the health care industry have at their disposal. And yet they’re the ones that get to decide that. So I think that’s part of what the challenge is. Um, the other problem is, and for the most part, health care systems tend to focus on a state or maybe a couple of states, so they don’t really have to worry about 50 different laws. But when Mr. Trump says he would like to have a, ah, two to one, you know, ratio, if you want me to enact new piece of legislation you got, you have to get rid of two that are already on the books. How about a 50 to 1 ratio? Right. We’ve got this panoply of, uh, privacy laws. We’re one of the only developed nations that doesn’t have a national privacy law. We could do a 50 to 1 if we would do that and think about the benefit to organizations because then I wouldn’t have to figure out what do these 50 different states require of me. And by the way, that’s just a breach notification. That’s not even for the privacy stuff.

James McCarthy: Well, what that would allow is for, for healthcare organizations to share their experience, I think more freely. Right. Because now what you’re doing in California can more aptly apply to what you’re doing in, in Maryland or what you’re doing somewhere else. Right. Because you’ve got a better framework.

Jason Taule: In Maryland, we, we are working with, um, our state regulators and one of the state senators in particular who wants to form a working group, which is a much better approach because then you’re doing it with the involvement of industry. Um, our leaders are testifying and giving, uh, contributions. And the idea there is first let’s collect some data. And that’s kind of the first mission is so that you actually know what’s actually going on. I’m not suggesting that that’s it. Maybe it sounds novel, but. Right. I’m sure, I hope that. Keep in mind that our regulators and our legislators, what they’re expert at is making law, not necessarily at the subject matter that they’re legislating on. They tend to bring people in. But we’ve all seen the congressional testimony at the federal level, they tend to bring in one or two rock star celebrities that are big in whatever the topic is. I don’t know that that’s fully representative here. The state, uh, of Maryland anyway, is taking a much more granular, low level approach getting, getting data from all the health care systems throughout the state. So I think we’re likely going to realize a better outcome.

James McCarthy: Yeah, yeah.

Jason Taule: Because the last thing we need is another rule that tells me I have to do what another law already tells me I have to do, but I don’t have the wherewithal to do.

James McCarthy: Yeah, absolutely. Yeah, you said it right though. I mean the key is you have to start from a place of good data. Right. Everything else just kind of comes out from there. But you have to know what’s actually happening in the hospitals and what’s practical or reasonable, like you said, for actual hospital system to implement, because otherwise you’re just making laws up to make them up.

Jason Taule: Now there are a number of different, uh, security rules that have emerged over the past couple of years. The Defense Department’s CMMC program comes to mind that require those who are subject to these rules to sit for a independent third party attestation. While that’s an expensive proposition, and again, see rule one, if we’re already struggling with these issues because we don’t have sufficient resources, I don’t have the resources to spend to pay an outside party if they focused on the objective rather than the how. Right. Because when we say security should achieve these objectives, but each organization has the right to figure out how to get there in a way that makes sense for them. Why not say the objective is independence? It doesn’t have to be third party. If I have an internal audit department and if that uh, uh, has appropriate separation of duties to withstand financial scrutiny, it should also be sufficient for these purposes. Some cyber teams don’t report up through the cio. They have a separation there because they’re the team that helps figure out what to do. It does it, and then security working in partnership with IA oversees to make sure the thing got done the right way. So I think if you focused on the independence, because that’s what matters. When we provide assurances to all the other members of our ecosystem that we are secure, that we can safely interconnect, it’s the independence that matters, not necessarily that it was done by an outside third party.

James McCarthy: Yeah, we’ve got the mechanism, we’ve got the framework for that already with other industries and other things that we do internally. So let’s just apply that same effort to this concept. Yeah, it’s smart. From here we’ve talked about healthcare and kind of the myriad different issues that might pop up across different aspects of delivering healthcare outcomes. Um, but one of the things that we’ve wanted to talk about here a lot lately with phosphorus is on the device side. Obviously we are a device centric, IoT centric organization and we see the lens through the world of all of the unmanaged, you know, technical assets in an environment. So, um, we talk about that problem from the kind of consumer or the protection standpoint. But what about from the manufacturing standpoint? What are there, are there things that we can do or things that the industry should start moving towards when they’re making these devices to begin with? For whether it’s medical or, you know, any other industry. But the people who are building the devices, should they, or can they build them more securely or should that fall on the consumer side that’s saying, hey, you’re implementing this thing, you should secure it. Like, where do you see that line?

Jason Taule: Well, I think my hand has already, uh, been laid bare in terms of how I would see this, uh, burden. I think it is best fulfilled when it’s performed once by the most logical party rather than everybody in the ecosystem. So I think a lot rests on the manufacturers themselves. I’m, um, not trying to add cost to their sector, but if I can save money and every hospital that they’re selling to can save money, they’re actually going to realize savings. Because one way to look at the CISO role, if you’re the CISO of the device manufacturer, is you’re trying to help your customers do business with you as quickly as possible. Right. We don’t want to ignore the security conversation. We need to have it, but quickly dispense with it so we can get down to figuring out how best to fulfill the business needs. In this case, there’s a medical device, it has a use case, it’s going to, it’s going to help with delivery of care or measurement or management, whatever it might be. I need to put that on my network. I need to know that I can do that in a way that’s not going to put us, our patients at risk. Now the good news is it’s been only about two years since the FDA began modifying their, um, there’s a process that device manufacturers have to go through. It’s called a pre market notice where they submit. If you make a medical device, you have to submit, um, a ah, series of things to Prove that the device is essentially safe and effective. Well, they’ve extrapolated from that. Well, what does safe and effective mean? Well, in the context, uh, it’s not too hard to go to. Data quality is a safety issue. Right. There’s a reason that they come in with a magic marker and they write on the left leg that this is the one that they’re going to do the work on. Right. So we don’t accidentally do something to the wrong leg. That’s a quality issue. Because if a hacker bumps something in the system and it’s got the wrong part, ah, of your body or the information is inaccurate, that can result in a bad patient outcome. So it’s not too hard to jump from there to cyber being a component of that. And they’ve now added this. It requires these organizations to do a risk analysis, the same things that we’re already required to do. You have to design and implement appropriate controls based on your use case and what that device does. The problem is that this process is called the FTA 510. Is this medical device pre market notice? The problem is that if you earn one, it doesn’t have an expiration date. It’s good until you have a material change in the way the thing that you make does what it does, or maybe it does additional things. Well, for many organizations, you know, um, you know, I’ve got a large high capital expense in my MRI machine. That’s not the kind of thing that I’m going to replace every year. The contract may come up for renewal, but I’m not replacing that thing. So that 510 that, that, that, that big manufacturing company got before the FDA changed their rules, they don’t have cyber in that. So again, I’m left to shoulder that burden without the, the other side, you know, sharing in that burden. So I think what we should think about is not just what we want the world to be, uh, figure that out, but then we have to figure out how do we transition from where we are to where we need to be without it burdening any party or any part of the system in an undue manner. And right now I think the burden is unfairly shouldered by the providers.

James McCarthy: Yeah. And we see that in a lot of ways with the customers that we interact with. We get into an environment oftentimes seeing devices that are 10, 15, even sometimes 20 years old, still sitting on a, uh, on a floor doing its job, having not changed since, you know, the, the late 90s. Right. And so that’s something, that’s a hard.

Jason Taule: Challenge and, and actually that’s a really interesting problem for healthcare because the, especially in the OT space, that thing does its job just as well as today as it did five, 10 years ago. The problem is it’s sitting on top of it infrastructure that’s old, it’s, it’s embedded windows, it’s XP, it’s, it’s 2008, uh, you know, and it’s end of life. And I can’t continue to, to use that thing when the infrastructure is old and vulnerable if it’s off support. Well, problem is I don’t have several billion dollars spare change lying around that I can use to replace the thing, especially when the thing doesn’t need to be replaced for any other reason. So. And uh, I don’t have a good answer for that. I mean we can use technologies like phosphorus to help us identify where we have what. So at least I know about it and that perhaps implement segmentation strategies or, or, or call out to vendors when they’re part of the solution needs to be uh, patched or updated. But the problem is if it’s still on top of uh, you know, problematic, uh, porous, weak infrastructure, you know, then, then that’s how the bad guys are going to find their way in.

James McCarthy: Yeah, and we saw that just recently.

Jason Taule: And then I do want to call out one of the newer things. I think most of us are acutely aware, uh, of the introduction and the benefits of AI. And by AI, I don’t mean the rules based on stuff that’s been around for 30 or 40 years. I mean the gen everybody’s talking about now. So if you’ve got a review process when you’re about to acquire and deploy tech, you’re going to look at whether there’s a gen AI component and you’re going to ask the appropriate questions and make the decisions that are required of us. But what if the vendor says, I have this additional way of delivering what you already get from me and they decide, now if they decide to charge me for it, obviously they’re not going to give me that additional capability until we have a new contract. But if they’re going to incorporate an update as part of other updates, I don’t necessarily have the insight to know about that. So again, I think that if perhaps your product or other products that are looking at it, when I say scan, I don’t mean scanning the network, I mean evaluating the network traffic and just they can say, oh, I see that this is an, an OT device that belongs to this manufacturer that you can help us identify as these issues that need to be addressed. It would be nice if we had similar capabilities to look for the signatures and behavior patterns. That says that’s AI, right? That’s generative AI behaving because frankly, uh, and I don’t just mean official stuff, and I don’t know that any organizations are doing this, but the ease with which somebody can stand up a container, grab an LLM, put it in the cloud and theoretically start sharing live company data, you know, with that model, that’s pretty scary. So. And not that there aren’t good use cases for doing that, but again, when it comes to the ability to control all this and avoid the data compromise or breach or unwanted access, um, I think we need to take a look at how we’re managing that because that’s not something that most healthcare systems currently have a process for detecting.

James McCarthy: Yeah. And that’s only if, like you said, the vendor or the manufacturer is transparent about the fact that they’re using that technology and they’re not necessarily driven to be that transparent.

Jason Taule: Yeah.

James McCarthy: Well, great, uh, great questions. I think I want to leave you with one last one. This is a little bit more forward thinking. We bring up a buzzword here that I think gets tossed around a lot, but, uh, without a lot of understanding of what it actually means. But this concept of quantum. Right, Quantum compute, and the paradigm shift that that’s going to bring potentially, uh, in the future here with, uh, especially in regards to, you know, how, you know, everything in the Internet is kind of built on this concept of encryption and security and safety and privacy. You, um, have to be able to trust and verify that the two things connecting to each other are who they say they are. And if quantum actually poses a risk to that, if that they actually can functionally pose a risk to that. What are organizations, especially when you’re already, you know, underwater, trying to solve all these other problems, what are they supposed to be able to do about that, you know, bigger problem, uh, as we move forward five, ten years from now.

Jason Taule: All right, let’s see if we can unpack this a little bit. First of all, um, I’m not Chicken Little. I’m not saying that I think that, uh, the encryption that, uh, underlies not just the healthcare sector, but frankly, everything we do in our economy on this planet today is dependent on the Internet. I mean, the apps are ubiquitous, all of that. If Quantum were able to break encryption, we would have to go back to paper. I mean, and that’s not hyperbole. I’m not saying that’s Likely, I think the risk is probably pretty low right now. I think that we have folks that are way smarter than me that are working on quantum safe crypto methods that we could hopefully quickly move to. Um, but there are articles that have been reported in pretty mainstream news media, Newsweek, PC magazine, that have basically said that certain countries have advanced their quantum computing to the point where they’re beginning to crack into, not fully crack, but work the problem. Now if somebody did that, I don’t see this coming out in the headline of a newspaper as 256 cracked by quantum. Because if I had that ability, I would want to keep it secret for as long as possible because then I can harvest and uh, see the data that we all mistakenly believe is still protected. You know, right now, for many of us, if it’s encrypted, it’s, it’s that get out of jail free card. I don’t have to report something as a breach because it was, it was encrypted. But I think what we need to do is like so many of the other scenarios that we think about as possible in our risk triage, probably should have a playbook for this one. Because my guess is if you said to most organizations, if that newspaper article did show up quantum cracks, crypto, would you know where your crypto is? Would you know what kind of crypto it was and whether it was susceptible to the crack? Would you know whether it was your problem to fix or the responsibility of a vendor? So I think there are things that you can do and then by the way, you wouldn’t just like you don’t want to do with any massive IT management endeavor. I don’t want to have to patch 10,000 things individually. I have automation, I have infrastructure, and I push to them and they push out. So maybe there’s a little bit of investing or at least looking at what the strategy would be for that. So if you had that kind of playbook, I think you’re going to be better positioned. But then we also need to think about what are the tests going to be, how are we going to work? Because even if I manage to be, uh, ahead and I, and I’ve got a game plan and I got a playbook and I’m back up and running. What if the rest of my ecosystem isn’t right? How are we going to do that then? And again, most of us, you know, I’ve been around for a long enough time and I remember when we reverted back to paper. Um, Asheville, North Carolina, and Hurricane Elaine is a pretty Good example of what happened and what may or may not happen. Uh, again, I call attention to this Netflix series, uh, Zero Day. You couldn’t get cash out, and without cash, you couldn’t go into a grocery store unless you broke the windows. And it was a riot. Right. Um, I’ve been in situations where those old school credit card slips, you remember the ones you used to put in that machine, um, that some people still had this, but I don’t know that even people know how to use one of those or would still have it around or considering all the online checking that happens in real time, whether they would even trust a credit card as a valid source for that transaction. So I think we need to be thinking about that and hopefully, uh, avert this. But I think at some point, all of mindful that most of the tech that we use is supposedly obsolete before it’s even manufactured. Right. Because the people that built it have to recoup their investments. Our quantum is good, but it’s not infallible. And with newer approaches, I think that this is a real concern. So, uh, for me, I’m, I’m at least asking the question of my vendors right now. Is quantum safe crypto on your roadmap? Um, what kind of crypto do you have? So I can begin to build the database of information so that should this happen, we can act in a, in a more prepared manner.

James McCarthy: Yeah. Start with good data.

Jason Taule: Like everything else, it’s, it’s not about outrunning the grizzly, it’s about outrunning the other jogger.

James McCarthy: Right, Exactly. Well, Jason, uh, I appreciate all the time today. Uh, I wanted to ask, uh, if people want to hear more, learn more about you and hear what you have to say about other topics, where can they go to find you?

Jason Taule: You can find me on LinkedIn. Um, pretty singular last name and certainly the first and last name combination. There aren’t too many. I, uh, think I’m the only one on the planet, so, uh, you should find me. If you come across Jason Tall on LinkedIn, it’s going to be me.

James McCarthy: Perfect. I have the opposite problem. I toil in anonymity with a very generic name.

Jason Taule: Right.

James McCarthy: Excellent. Well, thank you so much for the time.

Jason Taule: Sometimes anonymity is a good thing. Yeah.

James McCarthy: Yeah, it is. Okay. Well, hey, thank you so much, Jason, for all of that great intelligence and great feedback about the industry and what’s going on in that healthcare world. Your insights and experience provided a lot of value to, I know myself personally and I’m sure all of our listeners, uh, really enjoyed that as well. So thank you again, Jason Tal, for being on the show. The IoT Security Podcast is brilliant, brought to you by Phosphorus, the leading provider of proactive, unified security management for the extended Internet of things. I’m James McCarthy, and we’ll be back with more of the IoT Security Podcast.