Rockville, Md.-based Sepio Systems, a zero-trust hardware access (ZTHA) company, recently announced that Baptist Health selected its HAC-1 solution to add a new layer of defense against rogue devices used by cybercriminals to evade traditional threat detection tools.
Sepio HAC-1 is a ZTHA control platform that provides visibility, control, and mitigation to zero trust, insider threat, BYOD, IT, OT and IoT security programs. Sepio’s hardware fingerprinting technology discovers all managed, unmanaged, and hidden devices that are otherwise invisible to all other security tools. Sepio is a strategic partner of Munich Re, a reinsurance company, and Merlin Cyber, a cybersecurity federal solution provider.
Baptist Health is a full-spectrum health system. The Baptist Health organization includes nine hospitals, employed and independent physicians, and more than 400 points of care. Baptist Health’s eight owned hospitals include more than 2,300 licensed beds. Baptist Health also operates the 410-bed Baptist Health Deaconess Madisonville in Madisonville, Ky. in a joint venture with Deaconess Health System based in Evansville, Ind. Baptist Health employs more than 23,000 people in Kentucky and surrounding states. Baptist Health’s employed provider network, Baptist Health Medical Group, has nearly 1,500 providers, including more than 750 physicians and more than 740 advanced practice clinicians. Baptist Health’s physician network also includes more than 2,000 independent physicians.
Healthcare Innovation’s Managing Editor Janette Widersat down with Michael Erickson CISO at Baptist Health to discuss the implementation of the HAC-1 solution any challenges that arose during the project.
Can you discuss how the implementation of the HAC-1 solution went at Baptist Health?
Sepio’s HAC-1 solution went very simply for Baptist, actually, and we were surprised by that. A lot of times when we work with technology companies, especially those that are more innovative, it can be quite an implementation challenge. In this case, we were pleasantly surprised that the system is very lightweight, very sophisticated, but installs rather easily along with our other threat detection types of tools.
What was the biggest challenge in implementing this solution?
Our biggest challenge was incorporating their tool into our threat management program and incorporating that into our daily procedures.
Were there any other challenges?
We're fortunate at Baptist. We have a great team of people who understand our environment. They understand our digital assets, so we leaned on the collective wisdom of our institutional knowledge. When it came to these types of challenges [incorporating Sepio’s tool], we helped Sepio understand our organization and the collaboration between the two companies has made it very simple for us to overcome those challenges.
How did Baptist Health get leadership behind the decision to implement Sepio’s solution?
Again, I think we're fortunate. At Baptist we have a very strong leadership team. The tone at the top is clear—cybersecurity is a strategic initiative for the organization. Our team is continually collaborating with us and challenging us to find new controls that add new layers of defense.We don’t have an unlimited budget, but it certainly is a very collaborative type of relationship.
What were the advantages of implementing Sepio’s HAC-1 solution?
I think the best thing that came out of this is that now we're now looking at data with our business partners and looking at it in terms of helping. We’re bringing a new set of information to our asset inventories and it's helping us better plan the lifecycle of assets. Also, we are gaining a better understanding of what devices we need, meaning we might need to choose a particular model or make moving forward. It’s really helping in terms of business decision support in ways we hadn’t predicted.
Do you have any tips about talking to leadership and/or boards of directors about the importance of cybersecurity?
I think one would be hard-pressed to find any leaders today that aren't concerned about cybersecurity risk threats that they're seeing. I think there's probably more motivation on their part than people give them credit for. I think it's best to seek them out and have a conversation to understand what their concerns are, meet them where they are with their understanding of threats, and talk about their foundation. Additionally, talk about the layers of defense that are necessary to help defend an organization, especially in organization of any particular size.
What is the most challenging aspect of cybersecurity in hospitals today?
We're looking at the term zero trust quite closely right now, and I'm sure your readers are thinking about that strategy as well. For us, zero trust is difficult in an organization that serves the public. We want people to come and spend time in our organization to heal and be comforted. When we look at IT assets, we have to think about not just the activity of the devices that are coming into our organization, but the existence of those devices. So, working on visibility, working on understanding down to the peripheral level, the wireless level, and wired devices.
Understanding what's in our facilities at any given time is a is a big challenge and that's why we have invested in the Sepio product. It has given us a much more robust dataset than we've had previously with other vulnerability management tools.
Has COVID and working from home introduced more cybersecurity challenges into the landscape?
I definitely think it's been a challenge for companies because we don't have physical visibility into people's homes. We aren’t there to help them interact with their technology and to make sure that it's configured and secured properly—we're doing that remotely. I think it's important to have tools, like we're talking about today, to be able to add some layer of additional visibility and support and safety controls for people working from home.