B (12:56)

What's your 2am security worry? Is it do I have the right controls in place? Maybe? Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber.

C (14:00)

And now.

B (14:00)

A word from our sponsor. The Johns Hopkins University Information Security Institute.

C (14:06)

Is seeking qualified applicants for its innovative.

B (14:09)

Master of Science in Security Informatics degree program, Study alongside world class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition, textbooks and a laptop, as well as providing a $34,000 additional annual stipend.

C (14:39)

Apply for the fall 2026 semester and.

B (14:42)

For this scholarship by February 28th.

C (14:45)

Learn more at CS JHU.

B (14:48)

Edu MSSI.

C (15:05)

Jeff Collins is CEO of Wanaware. I recently sat down with him to learn how hospital consolidations are reshaping it, asset visibility and what it takes to close the gaps.

D (15:18)

When we think about hospitals, especially healthcare institutions holistically over the last let's call it five years, definitely this even occurred prior to that. But there's a lot of consolidation going on, Lots of mergers, lots of acquisitions, lots of large institutions buying up smaller hospitals, buying up smaller clinics, ambulatory surgery centers, et cetera. One of the things that we found is, as those acquisitions happen, a lot of risk is happening within those organizations, specifically within the realm of assets that they just don't know about, which creates security and operational concerns and constraints. Whether those assets are laptops or desktops, maybe they're a machine that is used by a doctor or a nurse. IoT devices, you know, smart healthcare systems, smart EKG, smart patient monitors, all those types of things. We see large amounts of these gaps within the healthcare space.

C (16:30)

Yeah, I mean, I can imagine just anybody who's visited a hospital lately. There's just so many devices, and of course, they're all connected in one way or another these days. To what degree is this a matter of devices that are in active use or devices that are sitting in a storeroom somewhere, or is it a combo of both?

D (16:51)

Well, where we see the gap is really certainly active devices become problematic. The devices that are even more problematic, though, are those devices that are technically active but nobody knows about them. They're connected to the hospital WI FI network. They're connected to an ethernet jack plugged into a wall somewhere. Those are the ones that become even more problematic because nobody knows they exist. They're not patched, they're not maintained, they're not controlled. Sometimes they have, you know, ubiquitous access outbound or ubiquitous access inbound, where, you know, if we're thinking about it from a security perspective, you know, a bad actor outside of the four walls or even inside of the four walls of a hospital can leverage those. Or inside of a healthcare facility, when we think about operational risk, oftentimes those devices have risks. They can generate DDoS attacks. They can be leveraged to perform a whole multitude of attack vectors inside of a health institution. Sometimes those devices are unknown, but they're part of something that is known. Maybe it's a backend system that's required for an MRI or for a CAT scan. That device goes down. Nobody has any idea that a device exists, and that becomes problematic across the board within that healthcare institution, regardless of if they're a hospital or a physician's office or a surgery center or whatever it may be.

C (18:26)

So what is the typical fallout when a merger happens between a couple of medical facilities and they suddenly find they have to blend all of these devices?

D (18:39)

Yeah. So what we've seen, certainly within our surveys that we've sent out, and we do lots of Surveys each year to try to understand what is the scope of this. You know, when we look at those surveys, certainly high percentages of organizations don't know everything that they have. When we think about fallout, fallout is somewhat harder to measure. We can look at fallout in the realm of publicly disclosed breaches. Certainly there's, you know, those keep continuing upward in trajectory. We see more and more of those every single year. As we see those breaches, those give us a good insight into what's going on, primarily because generally those breaches are disclosed where they started. And oftentimes they're started from a machine that's either known or unknown, or a machine that has some level of compromise that could be leveraged by an attacker. Operational risks become harder because oftentimes those don't get disclosed to the general public because there's not. There's not really a regulatory constraint unless something happens and a patient outcome is affected directly, which is extremely problematic. But the reporting within that, and the reporting of such is certainly noticeably less.

C (20:07)

Well, I mean, obviously this is your area of expertise, being able to inventory what's on someone's network. Can you help us understand, like, where do we stand today? What is the state of the art when it comes to best practices for trying to get a handle of what exactly you got on your network?

D (20:26)

Yeah, so certainly best practice today is to leverage technologies that allow organizations to, number one, understand what assets they have without creating operational or security risk to the organization. There's lots of technologies out there that will do scanning that you can deploy agents, you can deploy all those things. The risk is, is that anytime you do a scan or anyt, especially if it's an authenticated scan, and anytime you deploy agents, that creates additional risk for the organization. As we talk to healthcare institutions, whether those are hospitals or all the way down the line, we find that, generally speaking, they have technologies already that they could leverage to get this information. They just historically haven't had a great capability of correlating that data, tying it all collectively together and being able to action on it. And so as we talk to organizations, that's really the big piece that we push on, is don't go buy and deploy new scanners or don't go and deploy new agents, that creates additional risk, but rather leverage the technologies you have, whether they're endpoint protection technologies, whether they're existing firewalls and all those individual components, and then how you can take all of that and collectively understand the scope of what you have organizationally, and you can now quantify your Risk, understand that and then ultimately over time, minimize and mitigate that risk, both from a cybersecurity as well as an operational perspective.

C (22:08)

What happens once you've gotten past that.

B (22:11)

Initial evaluation period and now you've got.

C (22:16)

Let'S call it ongoing monitoring of the situation? Because an organization like a hospital is practically a living, breathing organism of its own. Right? There's. Things are constantly changing when you're running a place at that scale.

D (22:32)

Yeah, yeah, so what? So once you've, once you've actually got those assets ingested, once you understand the relationships, really the reality is, is twofold. Number one, you have to make sure that quickly you can understand new assets. That living and breathing organism, which is a healthcare organization, whether it's a hospital or even a physician's office, the reality is they're constantly getting new technologies, deploying new technologies, changing older technologies out. That is a constant change that's happening. The reality is you have to be able to keep up with that. Getting, getting an understanding of everything we have today is certainly that's a benefit and we should, we should applaud for that. But when the world changes tomorrow, there's only so much that we can rest on our laurels. And so the reality is, is that we have to continuously be able to understand new things coming in. We have to have flexible systems that allow changes in technology, that allow innovation, which is drastically happening inside of the healthcare environment. All of us hear about AI and we hear about how AI is changing all of this and how AI is changing patient outcomes and technology stacks. And we have machine learning going on and we have massive scale data lakes and data warehouses happening, all those things occur. But really that first big piece is you have to be able to adapt and change as your environment evolves. The second major piece is once you've had that capability of evolving and understanding and being able to change with the business, the second thing you really have to do is to be able to action upon that. So just because you have things and just because you have knowledge, if there's an outage, you have to have the ability to resolve that quicker. Outages are operational. If there's a breach, you have to be able to get to the source, understanding what we call the blast radius. You know, when something happens, whether that's operational or cybersecurity related, that happens generally in one device or in one application, but that expands and grows oftentimes across an organization. If it's a breach, maybe it's one machine that was originally breached and then that grew to 100 or 1,000 or sometimes even more than 1,000 machines, if it's an operational risk. That may have been one machine that went down, but that was crucial in, let's say the entire EHR system or the entire EMR system. That one individual machine became something that problematically took out the entire healthcare organization. And really that resolution time of being able to leverage this, provide benefit to the business itself is crucially important.

C (25:34)

What's your advice for that security professional.

B (25:37)

Who'S looking at their own situation and is feeling intimidated by the potential for what they're going to find out? They're afraid that they might be overwhelmed with the information that's going to be presented to them.

D (25:51)

Well, what I would say is every health, I mean every healthcare cybersecurity professional should be concerned. The reason why is because what's happened historically, anytime they've heard, I can get more information, what that is equated to is more non actionable alerts, more non actionable events. That's the reality of what has happened. You know, if I go back in my history, 25 years in technology, all of us that have been in the space a long time, that's what we've heard for 25 years, you can get this brand new technology and it'll give you all the insight in the world. And the reality is it was a whole bunch of alerts and a whole bunch of events that just wasted time. It's what cybersecurity people call the false positive. False positives are what break everything. That's what creates the work effort that can't be resolved. The key is, is you have to do this without getting false positives. Now how do we do that? You do it by understanding context. Cybersecurity professionals understand that things are false positive because they understand the context around that alert. They can look at that alert, they can see it's associated with this device. They understand if they have a compensating control that might be mitigating, that they understand if it's, you know, siloed. Maybe it's in a zero trust model where it's only that machine sure that machine is breached. It's very low priority and very low risk to the organization. And while it came across as a critical event, it's really something that can be dealt with tomorrow or in a week or whatever it may be. It has no patient data on, really just has no priority to the organization. That's where cybersecurity professionals have historically provided that context. The key going forward is that technologies as well as processes and procedures have to be able to do that more systematically. Our cybersecurity professionals have to be able to focus on the risks that really matter to the organization, those which require people and the rest of this stuff. Mitigating false positives, mitigating operational risk, doing all these types of things. Those all need to be done by systems and they need to be done in a manner where we're not getting more and more alerts and metrics, tricks and all of this log information that's really just false positives that waste people's time.

C (28:28)

That's Jeff Collins, CEO of Wanaware.

A (28:46)

When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together. Use polls to settle dinner plans, send event invites and pin messages so no one forgets mom 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone.

E (29:10)

Learn more@WhatsApp.com this episode is brought to you by Indeed. When your computer breaks, you don't wait for it to magically start working again. You fix the problem. So why wait to hire the people your company desperately needs? Use Indeed's sponsored jobs to hire top talent fast. And even better, you only pay for results. There's no need to wait. Speed up your hiring with a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply.

C (29:58)

And finally, Jason Allen is still fighting to prove that a robot assisted masterpiece can in fact, belong to its human co pilot. In 2022, Allen stunned and infuriated the art world by winning the Colorado State Fair's Fine arts competition with an image spun up by midjourney, the then new AI Art generator. Since then, he's spent three years in legal limbo trying to convince the US Copyright Office that his digital muse didn't steal his thunder. In August, he filed yet another brief, hoping to claim authorship over Theatre d' Opera Spacio and conveniently to sell limited edition oil print elegraphs of it that promise the gravitas of a 19th century masterwork minus the hand cramps. Allen insists the creative act lies in the hundreds of prompts he typed to coax the machine into beauty. Whether the courts will agree is anyone's guess. Whether it's art or algorithm, Alan's work has definitely sparked some creative debate. And that's the cyberwire. For links to all of today's stories, check out our daily brief briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our Executive producer is Jennifer Ibin. Peter Kilpie is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

B (32:38)

Here we have the Limu Emu in its natural habitat, helping people customize their car insurance and save hundreds with Liberty Mutual. Fascinating.

D (32:49)

It's accompanied by his natural ally, Doug.

E (32:53)

Limu is that guy with the binoculars watching us.

D (32:55)

Cut the camera. They see us.

B (32:57)

Only pay for what you need@libertymutual.com Liberty Liberty Liberty Liberty Savings Very Underwritten by Liberty Mutual Insurance Co. Affiliates excludes Massachusetts Cyber Innovation Day is the premier event for cyber startups, researchers and top VC funds firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, DC. Discover the startups building the future of cyber. Learn more at cid datatribe.

C (33:52)

Com.