A

Foreign. Welcome to Risk Never Sleeps, where we meet and get to know the people delivering patient care and protecting patient safety. I'm your host, Ed Gaudet. Welcome to the Risk Never Sleeps podcast in which we learn about the people that are on the front lines delivering and protecting patient care. I'm Ed Gaudette, the host of our program, and today I am pleased to be joined today by Chad Holmes and product evangelist for Signario. Chad, welcome.

B

Thanks for having me on today. I really appreciate it.

A

Yeah, good to see you. Last time I saw you, we were both at hims, I believe, a couple years back.

B

We see each other at events, but I'm always reading your research, you're always reading mine. So we're always in each other's lives, right? That's.

A

That's awesome. That's awesome. So let's start off with. Tell our listeners a little bit about yourself, your role and your organization.

B

Yeah, absolutely. I'd love to talk about myself. So my name is Chad Holmes. I'm focused on evangelism, which means I work with really smart people doing interesting research and interesting work in trying to share our findings and the protections we create with the broader community. My background is in software development, and that kind of graduated me up to security testing and now working with product and research at Scenario. What we do is we focus on healthcare cybersecurity only, primarily Internet of medical things. So im, iomt, Iot ot, but we also are expanding into it as well as ndr, so detecting network attacks. So entirely focused on healthcare, much like I believe you guys are as well.

A

Nice. Does that mean you're going to compete with a CrowdStrike or.

B

Well, it's interesting because CrowdStrike typically works in the EDR and XDR space. And what we're finding is that there's this big gap where you simply can't deploy EDR on medical devices. So we have to look at things at the network level. So we don't want to compete with them. We want to complement what they're doing.

A

Yeah, yeah. How did you get into healthcare in cyber?

B

Oh, boy. So, yeah, it was not career path. A. Let's say that I had been working, teaching, training for security testers. I was teaching cyber ranges and the pandemic hit and that did not really help with training. There was. And so the opportunity to work with Synerio presented itself and the interview was great because I said, well, I'm an application security guy. I've never worked with network security, and really I'm writing and teaching now. I'm not really evangelizing a whole lot, so I'm not checking any of the boxes. And they said, great, you're hired. So I like the thing. It works great. The fact that we're talking, I think makes it work.

A

That's terrific. Yeah. And then any particular thing that prepared you for healthcare, Any particular experiences or.

B

Just jump right in. So I think anyone working in healthcare that's worked in other industries realizes that what we're seeing today happened in almost every other industry 15 to 20 years ago. So my entire background has prepared me for this because I can go back and say, oh, if we look at data breaches and data exfiltration that was happening in the purchasing card industry 20 years ago, if we can take what they did and tailor it to healthcare, we can do that. Finding vulnerabilities and doing research, I did a lot of that early in my career, has absolutely helped me in terms of how we'd go to market with groups like ponymore Institute, which you're familiar with, and figure out how to do surveys. So we can find really interesting things that we can help you.

A

Yeah, interesting. And then what's your research showing you about the recent larger systemic attacks such as CrowdStrike? I know that wasn't a cyber related incident, but still it was an operational risk that impacted a lot of folks.

B

So CrowdStrike's really interesting because the first thing it made me realize beyond oh no, this is awful and is my flight to Salt Lake City canceled or not was it did not have a huge impact on healthcare. Right. Because if you look at a lot of the environments it focus on, it was all Windows environments. And the challenge in healthcare is a couple things. One is Crossbreak wasn't installed in a lot of places because we don't have anything installed. And that should be terrifying to all of us. Right? Yes, they had a blip, but the rest of the time there are no protections in most of these environments. The environments where it was installed was taking out tens of thousands of machines. In some cases it led to canceled appointments, canceled surgeries. And then at the end of the day, the really scary thing is about half our environments in healthcare are not Windows machines. Right. They're often bespoke operating systems, which means nothing can be installed there. So technically it's not possible to protect them with that method. But also from a patient safety standpoint, imagine if every IV pump in the world, or even just a fraction of them, had CrowdStrike on them. We would have seen mass patient casualties and not over exaggerating that we would have seen direct deaths come from that. And I'd love to talk about the deaths we're actually seeing, as scary as that is. But what we need to realize with CrowdStrike is that they do a good job most of the time. We saw a really bad blip on the radar, but that has uncovered in healthcare that we have a lot of space to grow into actually protecting the devices and the patients that we're trying to help.

A

It's interesting. I know a lot of the. We both share common research when we looked at the impact of ransomware on patient safety and patient care, but you just said you're seeing deaths, so are you actually seeing deaths?

B

Okay, so that comes down to how we talk about deaths. Right. There's this lizard part of our brains where we say, oh, no, a hacker is going to come in and try to kill me personally. And the reality is, almost none of us are that important. There's, like, 25 world leaders where they actually face that threat, and they're not on the same systems we're on. And so we have to really educate the market about how patients are impacted by these attacks in reality. And the reality is we need to stop thinking with the lizard brain, the scary part. And we need to start thinking about what happens when there's an earthquake or a natural disaster or a blizzard in our part of the world. What happens there is the systems go out and those naturally lead to impacted care. Those mean people can't come in, you're canceling appointments, whatever the case may be. And we know from studies that are 20, 30 years old, as well as studies more recently yours, ours, a great one, that looked at Medicare recently that saw in certain cohorts mortality rates increased by 35%. That's absolutely terrifying. And so we need to start thinking this about impacted patient care, not direct for us, their lives, because that's what's really killing people and impacting their care.

A

Is that the one that came out of Michigan, maybe? Was that.

B

Yeah, that's the one that came out of Michigan, looked at Medicare, and much higher numbers than any of us expected.

A

Yeah.

B

But right in line with what we found. In terms of the more healthy cohorts, too.

A

Yeah, yeah. In indirect, like the divergence of ambulances to a medical facility or a hospital. Obviously it's real and it's scary, especially if you're in the back of the ambulance.

B

Yeah. And there's a couple other studies that have looked at the rippling effect, too, because it's not just the hospital that got hit by the cyber attack, it's the other hospitals where they diverted and they start getting overrun with care. And so it's not just the 100 people, 200 beds, it's the thousands of beds in that community that are impacted.

A

Yeah, yeah, really great point. So as you look out over the next 12, 24 months, what are your top three priorities?

B

The number one priority is helping healthcare learn how they can handle the risk they're seeing today. We've seen a whole group of technologies in companies like ours and our competitors that really want to do the right thing in terms of what are the long term ways we can stop these attacks. And that's things like identifying your devices, micro segmentation policies, all that. The challenge we see is that healthcare just doesn't have the people, the resources, the education to address these. And when they do get them and they hire them, they quickly go to Google or Facebook or wherever because they pay so much more. Right. So one thing that we're really focusing on is one, tailoring those technologies to healthcare environments to make them a little easier to adopt, but two, more importantly, identifying technologies that they can adopt today to stop the attack replication so we can implement longer term protections. And again, that comes down to identifying attacks on a network, seeing when a device gets infected, accepting it's going to happen occasionally, and stopping those attacks from replicating. So we call that network detection response. There's others out there. We're the first one that I know of that's tailored to healthcare.

A

Yeah. And so how do you help with some of the challenges for a solution like yours or others where there's a lot of data that's coming out, there's a lot of potential noise in the signal, false positives, false negatives, et cetera, but also the amount of configuration and management that it would take to get that signal.

B

So three steps to that. First is deployment of the initial technology. So we have appliances that go on site. I won't go into the details. That's a pretty straightforward process because it's deployed just like other technologies that are in the environment today. So that's been whittled down to a few hours in most cases. So the initial deployment shouldn't be scary. The second pass there is taking the massive amounts of data that we see and making them useful. So we recently went back and took a look at what our entire customer base does in the matter of a month. We analyze 22 petabytes of data per month. I don't even know how many zeros that is. It's a Massive number. And we have to realize that no one in the world, particularly in healthcare, is going to be able to analyze all that. So we take those 22 petabytes of data, trim it down to roughly half a million actual incidences that require investigation. And that's where non healthcare specific technologies usually fail. They hand those half a million, incidence is over and say, hey, look through these, good luck. The three IT folks in a hospital do not have the time to do that. So what we add to it is additional analysis. Right. But we also add our scenario live team that goes in and analyzes to find the two or three valid attacks each month that are coming from that. So it's this really interesting big data problem that if you take a couple steps specific to the environment you're working in, you get to the things that really matter. Those two or three attacks, rather than just saying here's some interesting data, good luck.

A

Now are you looking at signature or are you looking at the actually cracking the packet and doing SSL cracking and great, great question.

B

So the assumption that we have to do SSL packet is inspection is rough in health care. The reality is most healthcare networks do not encrypt the data. Right. 99 point whatever percent of the data in healthcare is, that's scary. It's going across the wire, which means if a hacker physically gets in the environment, they can sniff it. The reality is that's not a real threat vector and it plays into our advantage and healthcare's advantage right now. So we're actually doing deep packet inspection. So we are looking at signatures, that's a standard method, but we're also looking at behavioral. And because we only focus on healthcare, we can understand that if a IV pump and a nurse's station are talking, it's probably okay, particularly with a certain volume and certain types of data. If the Tesla in your garage is talking to your stress test treadmill, maybe we should look at that. So it's a combination of different techniques. One other point there, there's about 160 protocols that are unique to healthcare. And that's why we're so focused on healthcare, because we just can't spend time customizing to every single. We want to focus on those.

A

No, that's. That, that's great. And how is AI rearing its ugly head in your solution?

B

Everyone's an AI company today.

A

That's right. That's why I figured I'd ask it that way.

B

Yeah, absolutely. So we work with AI in three ways right now. The first is a pretty simple front end Thing where you go and say, show me all the IV pumps in site A and the customer report comes back. That's the most obvious one. It's not all that sexy, but it makes perfect sense. The second one is actually going and doing that additional analysis I talked about. We can whittle down those packets to a certain number and then we can train our engines to do additional analysis, like the data flow analysis I was talking about. So that's the most common one we use there. And then third, we use the information we're seeing to help inform product development as well. It's not that we're always going to just get magic AI with all the answers, in fact, and fully trust AI engines from what we've seen. What we do is we get the data from them and give it back to humans to help with further development.

A

Nice. And do you know how Are you using OpenAI? You have your own stack you're using.

B

How are you? Anyone that says they know everything about AI and ML and exactly how they're using it is not true.

A

It is that. That. That actually is something I've learned early on in this process. Everyone has an opinion. Most people don't know what they're talking about related to AI. It's.

B

So when you talk to people. Yeah, sorry, when you talk to people about AI, if they're not saying, I don't know about something, be a little cautious.

A

Yeah, no, and it is, it's exciting. It harkens back to the, the, the birth of the Internet for me anyway. But it's much more accelerated and it's much more sophisticated and complicated, which is awesome. Which makes it interesting to still be in tech, to say that you do.

B

Know one really interesting place we use it because technically I'm a marketer, don't hold it against me. But at the end of the day, we've used it to generate a lot of the draft content we use. So we go and we can figure out the bullet points, what we want to say. We are very much a startup and a lean team, so we can take that, run it through Gemini, which is particularly good at creating content and that helps us go to market with messaging a little faster. And so it's not an elegant use of it, but it's an incredibly effective, practical use of it.

A

Oh, interesting. Yeah, that's cool. All right, so let's switch topics a little bit. What keeps you up at night?

B

Oh, my goodness. What doesn't keep me up at night is I feel secure in going to hospitals. I get that question A lot. Right. The hospitals are under attack. We see hundreds of breaches a year, but the odds of an attack happening while you're at a hospital are pretty low. That said, my hospital in New Report, Massachusetts did have a massive data breach, so thank you for sharing that data. It's easy to find out who that is. What keeps me up at night is more that we have systematic issues in the healthcare environment that are leading to massive losses of money. Literally billions would be of dollars a year that there are known protections for that other industries have adopted. And we need to find a way to get the right resources and funding to healthcare environments to help protect our patients. At the end of the day, outside.

A

Of your day job, what are you most passionate about? What would you be doing if you weren't doing this job?

B

Oh, anyone watching this that knows me just is screaming hiking right now. Right. I literally moved to the mountains to hike as much as I could, and as I'm getting towards my mid-40s, that's hurting more and more. But I do a lot of hiking in the White Mountains. I just came back from Utah. Absolutely love hiking lessons.

A

Did you do Zion?

B

No, I've done it in the past. This was just Salt Lake City, so I hiked to Fifth Water, which is thermal pools, and I hiked to some other falls. It was beautiful.

A

Nice. Nice. Did you ever do Bryce or.

B

Oh, yeah, yeah. So my wife and I do most of our vacations around either national parks or ballparks.

A

Nice. All right, that's very cool. So you like hiking? All right. I was just talking to someone today just before this call about hiking the Camino in Portugal, so starting in France. Have you ever looked at that or.

B

I've read about it once, but I'm not too familiar.

A

Yeah, you can hike at different points. Much more of a pilgrimage than it is a hike and it tends to be somewhere in the 300 to 500 mile mark. So you need a couple of weeks to do it. But it's quite interesting and I had a good friend do it recently and I followed his journey along the way. He was posting photos and I was talking to him, texting him throughout his journey, and it was really fascinating. And so actually someone on our team is going to be hiking this, the walking the Camino soon. So it's a very spiritual experience as well. So if you're into. That's something to take a look at.

B

The other side of that is we have a big international sales team and one of my Welsh teammates goes hiking right. In Wales, and it's these big broad paths along the beach and there's like 30ft of elevation gain. That's the kind of walking I want to do as I get older.

A

Yeah. Yeah. Awesome. So you go back in time and see your 20 year old self. What would you tell them?

B

Yeah, there's been this interesting shift in corporate America over the last 20 years where when I was really early in my career, you had to stay with the company for 20 years or you were seen as job hopping. And that's not the path I took. I'm a startup guy. I like to jump every two to three years and do interesting things. And so I'd say it's going to be hard at first, but keep doing interesting things, keep saying yes to valid opportunities and it's going to be able to propel your career and do really interesting work.

A

Yeah. It's so funny you say that. I remember when I first started off, I was so. I've done startups all my career and early on it was almost like every three years. I was onto something new. And my father pulled me aside once, I think it was on the third company. And he said, your mother and I, we want to talk to you. We're really concerned about your ability to hold a job. I started laughing. I'm like, you've had one job for 40 years, dad. This is, this is tech. It's very different.

B

So it's different. And there are no gold watches at the end.

A

That's right. There's no gold.

B

You have to go. What's best for us that it's just a generational mindset.

A

Y. Absolutely. All right. So I'd have to ask you this question. This is the Risk Never Sleeps podcast. What's the riskiest thing you've ever done?

B

Yeah, I'm going to go back to hiking. So one of the lists I recently finished was the New Hampshire 48 4,000 footers in the winter. I've done the. The 4,000 footers many times over. But this, you have to do it between December 23rd roughly and March 22nd, I think. And the White Mountains in New Hampshire are notorious for incredibly dangerous weather and quickly changing weather to the point once I was on Mount Washington, I opened my mouth and literally the saliva and the snot just flew out of my mouth. It was awful. But the most dangerous was I was doing Franconia Ridge. It's one of the top hikes in the U.S. it's. Yes, I did the full ridge. So it's 13 miles long. Not just the mini Ridge, everyone right and the weather was supposed to be clear. And I got up to the top of Lafayette and it was not clear. It was 70 mile an hour gusts. No visibility, just terrifying. And I had my snowshoes. I have my full pack. And I just got to a point where I was saying, you've done this before. One step at a time. You'll get through this. And you never want to be in that point, I promise you. And it was one of those things where I just had to dig deep and keep going because there was no options. I reevaluated a lot after that. Right. I said, okay, maybe not that again. I'm glad I got through it. It was the riskiest thing I've ever done and really inform some future life choices.

A

Yeah, that's interesting. I was up in New Hampshire last year and I went. I took a talk about risk. I went on the cog rail. You ever do the cog rail up my Washington?

B

Oh, absolutely. Yeah.

A

And we were the last. We ended up being the last ride for the season, as it turned out. We get up there, it's just. It was blowing sideways and you walk two feet and you're just drenched and cold and it was awful. But it was fun. It was fun doing it. And definitely highly recommend the cog rail, especially in November, December time frame, if you can't do it.

B

My experience is I'm usually walking under the cog on a path, waving to people. Yes, right.

A

That's right, exactly. All right, Music or movies?

B

All right, I'm going to go three on a desert island. Right. First for a book. I'm going to go Bill Bryce and a walk in the Woods. Olympia. There's some history. It's a great read. You can read it all day.

A

You're on an island. So the woods theme.

B

You know what, the tongue in cheek academic humor that he puts out there.

A

Yeah.

B

It'll lighten the mood a little bit.

A

Okay.

B

Okay. The next one. I'm a huge Ben Folds fan, so he's mostly known for one song. He has a much larger catalog. The one song isn't even representative of what he does. Right.

A

That's so true. Yeah.

B

A pianist. He does a lot of symphony work now, but he had a retrospective, the Best imitation of myself that has 70 something songs. So I'm cheating. It's a best of, but I'm gonna do it.

A

Yeah. Okay.

B

And then finally a newer band. They've been around for about 10 years. Their three brothers out of New York, they're a band called AJR. They're rock, pop, a little bit electronic, and they just have a fun, upbeat, really energetic sound for those down days on the island. And so I'd go of their albums, I'd go with the Click simply because it has the most playtime.

A

Ajr.

B

Ajr. Yeah.

A

I don't think I've. I guess I've heard of them, but I don't think I've ever heard any stuff.

B

You'll have heard them in bumpers relating into talk radio. They have a Cinnabon commercial. They have MLB commercials. Heard them. You just don't realize you have Cinnabon. Oh, they, they get really catchy things that commercials love.

A

That's pretty funny. Oh, and it's in keeping with Ben Folds too.

B

Yeah, it's the tongue in cheek entertaining. You don't know you're listening to them until you do.

A

Yeah. You must be a Sublime fan too.

B

Of course. Yeah.

A

All right. And how about movies? You didn't mention any movies.

B

Oh, I'm not a big movie guy because I have such short attention span that unless I'm on a plane, I can't last the 90 to 120 minutes. So documentaries would be in there. My go to plane movie is Moneyball. Right. Michael Lewis book made into about data analytics and major league based.

A

The Big Short, too, is an amazing movie.

B

The Big Short, yeah. That's number two. If I have Boston to San Francisco, those two will fill up four of the six hours.

A

Nice. Hardest lesson in your career.

B

Ooh, hardest lesson in my career. Everyone that's ever gone from sales engineering like I was in the past, or from, I'm sorry, from engineering to sales engineering to marketing, has to have the really tough lesson that you don't win based on technical capabilities a lot of the time. And as a techie that was writing code, I just thought you would go in and say, here's our solution. It's the best thing possible. Buy it. And the ability to influence people is so incredibly valuable. And a lot of technical folks miss that in their career. And if you can find a way to influence people not just by bits and bytes, but actually figuring out what their problems are and helping them solve them, that's 90% of the battle.

A

Yeah, that's great advice. Last question. What advice would you have to folks coming out of school that want to break into healthcare and break into cyber?

B

Break into healthcare or cyber. Okay, so for cyber, I don't even think you'd have to be coming out of school at this point. There's a lot of new resources. I worked on cyber ranges for a company called Security Innovation. They just got acquired by the way, and spun off their cyber ranges. But I worked teaching people to learn how to hack on cyber ranges. So knowing that there's resources like that, like the SANS Institute that are out there where you can go and get your hands dirty and learn the practical skills is incredibly valuable. A lot of organizations still prefer four year degrees but don't require them anymore. So actually learn the practical skills, not just the theoretical in healthcare. Just know you better have a really good passion for helping people because there's a lot of other industries where you can make more money. It's going to be less frustrating. One of the reasons that I am in healthcare now instead of working with big banks and tech companies is because there is some real tangible benefit to other humans at the end of the day. Yeah, but you have to have that as a driver if you want to be really successful.

A

Yeah, no, that's so important to have that connection with the shared mission of healthcare because it's real and if it doesn't matter, you probably should be doing something else.

B

Yeah. If you want to be in a dark room just pounding away on the keyboard, that's great. Healthcare, a specific industry may not be the best place for you.

A

That's right. Excellent. What are you doing for the weekend?

B

Oh, I'm going to a concert, then I'm going for hiking.

A

So what concert are you going to see?

B

I'm going to aj Aris, the final. I'm going to aj. I was. I saw them in Manhattan last weekend.

A

That's great.

B

Austin back in February or April. So I'm gonna go see them. Yeah.

A

Have you been to the Sphere yet?

B

I have and I can't wait. Have you?

A

I did. I went to three shows in June. Yeah?

B

What'd you say?

A

I saw Dead and Company. I'm a big deadhead. So yeah, I saw the latest version of them, if you will. But yeah, it was. I tell everybody, if you can get to the Sphere, Eagles are coming. If you like the Eagles, the YouTube you2 just played there, I'm sure AJR will play someday, right?

B

Was it completely immersive? Did you feel like you were just.

A

Not only completely immersive? It's hard to understand the experience without experiencing it because everything else is analog. It's one dimension and it really doesn't do it justice. So even the videos, I mean, I. I shot a lot of videos while I was there to give people a sense of. Folks had told me, don't go and watch videos. You know, just go in with no expectations and you'll be complete. And I was completely blown away. At one point I was holding onto the back of my chair because I thought literally we were taking off. That's how immersive it is.

B

It's like your first experience in an IMAX theater then.

A

No, I've been in. I've been in imax. I think this is very different than imax.

B

Interesting.

A

Okay, yeah.

B

Next time in Vegas for a conference. Whatever is playing there, I'm sure I'm going to attend because it looked like such a great venue.

A

Yeah. And they have different shows you can go to too. But it's a very different. And also the other thing I real. And I'm GLAD I went three nights. The first night was the open mouth. I'm 18 again. Or I was actually nine years old again going, what is this? It was crazy. But by the third night I was tapping into the music, the audio, and it is the highest fidelity audio I've ever heard at a concert.

B

It was amazing.

A

Not only that, again, it was immersive. They had speakers in the chairs. They had. You were surrounded by the sound, which was not obnoxious either. Like, it wasn't like, I've been in some concerts where it's obnoxious. Like, oh, there's a speaker behind me in here.

B

It just.

A

It you were surrounded by it and therefore you didn't even realize you were surrounded by it.

B

And so is that going to set a new stage for other venues? Do you think that's a Vegas only thing or are these are going to spread?

A

No, I don't know. It's a good question. I don't. I think they may be publicly traded as an organization like Sphere Entertainment is like publicly traded. So it's a great question because they would be limited in terms of growth if that. So I could see it in London, I could see it in Tokyo. I could see it in different. Definitely in different locations.

B

Going to be in Lowell and Boston.

A

And it won't be in Lowell. I don't think it'll be a Lowell anyway. But it may be in la, although it's close. That's close to Vegas. So maybe there's a. Maybe there's an east coast version of that, but. Oh, dude, it was. Chad, you gotta go. It was incredible. It was such a great time.

B

And whatever it is, I will get in there.

A

Such a great experience. All right, sir. Well, thank you. This is Zed Gaudette from the Risk Never Sleeps podcast. And if you're on the front lines protecting patient safety and care delivery. Remember to stay vigilant because risk never sleeps. Thanks for listening to Risk Never Sleeps. For the show notes, resources and more information and how to transform the protection of patient safety, Visit us@cincinnat.com that's C-E N S I N E T.com I'm your host, Ed Gaudet. And until next time, stay vigilant because risk never sleeps.