December 16, 2025 • 38 mins
John F. Banghart, Senior Director for Cybersecurity Services, Venable LLP, speaks with Errol S. Weiss, Chief Security Officer, Health-ISAC, Inc., about the unique challenges associated with information sharing in the health care sector. They discuss what an ISAC is; what information sharing means in the context of the health care sector and why it is important; legal, regulatory, and compliance risks; risk mitigation strategies; the impact of the Cybersecurity Information Sharing Act of 2015; and how to facilitate cooperation in information sharing among various stakeholders. Sponsored by Venable.
Watch this episode: https://www.youtube.com/watch?v=2sRx96w1U70
Learn more about Venable: https://www.venable.com/
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Comprehensive members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:04):
This episode of AHLA's Speaking of Health Law is
sponsored by Venable.
For more information, visitvenable.com.
SPEAKER_02 (00:16):
All right, well, welcome everybody to our
discussion on informationsharing in the healthcare sector
today.
My name is John Banghardt.
I'm a senior director forcybersecurity services at the
law firm Venable.
I think it's worth noting that Iam not an attorney, so you might
be surprised to find thatthere's non-attorneys working at
a law firm.
(00:37):
But we established a team ofcybersecurity professionals at
Venable over 10 years ago now.
And it's been a tremendouspleasure to be there for almost
that entire time.
And part of the great thing thatI get to do in my job is, in
addition to working withlawyers, is getting to work
across a lot of really greatcommunities.
And one of my great clients andfriends joins me today, Errol
(01:01):
Weiss.
Errol, let me kick it over toyou.
Tell us a little bit aboutyourself, your background, tell
us what an ISAC is, and thenwe'll kind of get into the topic
here.
SPEAKER_01 (01:10):
Great, John.
Thanks a lot.
And thanks a lot for having mehere today, everybody.
So my name's Errol Weiss.
I'm Health ISAC's Chief SecurityOfficer.
I've been here for six and ahalf years now in this role.
Prior to that, I was in thebanking and finance sector for
13 years between places likeCitibank and Bank of America.
When I was at Citibank duringthat time frame, I created and
(01:31):
ran their global cyber threatintelligence organization
delivering threat intelligenceto thousands of internal
customers worldwide.
So had a lot of fun andinteresting uh experiences
there.
And got to work with anotherISAC, the Financial Services
ISAC during that time as well.
So uh as John alluded to, whatis an ISAC?
(01:52):
It stands for InformationSharing and Analysis Center.
And it's a it's a concept thatwas created in way back in the
mid-1990s after a federal uhgovernment study found that much
of the critical infrastructurewas owned and operated by the
private sector.
So it was really an idea to helpencourage the private sector to
share incident information bestpractices with each other and to
(02:14):
really help protect thoseorganizations and essentially
the each critical infrastructurefrom what was suddenly becoming
a very threatened uh uh set oftargets in the US.
SPEAKER_02 (02:26):
And hey Errol, let me let me jump in real quick
because I think one of thethings that might be helpful
just for context for folks iswhen we say critical
infrastructure, um, you know,there's very specific
definitions around that, right?
So I think everybody kind ofunderstands that things like
your energy and your water, um,that those are things that are
critical, right, to our dailylives and to our country.
(02:48):
Um, but there's a lot of othercritical infrastructure sectors
too, like healthcare, forexample, financial services,
transportation.
And so it's a really interestingmix.
And I think it was um justwanted people to understand that
there's what is it, like 16 or17, I think, defined critical
infrastructure sectors now.
SPEAKER_01 (03:04):
I think 16 is the right number, yeah.
SPEAKER_02 (03:06):
Yeah, 16.
So it's it's interesting.
And I think um, you know,obviously healthcare is one that
touches on everyone's lives, uh,and it certainly is is critical
to all of us.
So just just wanted to add thatcontext, but please keep keep
going.
SPEAKER_01 (03:21):
Yeah, actually, I think that uh that that's a
pretty good background about theISOCs themselves.
They're all very different fromeach other, and I think because
they're really laser focused oneach of those sectors that they
support.
But essentially at the core,they do promote information
sharing, best sharing bestpractices, sharing incident
information amongst the membersinside each of those, uh inside
(03:43):
of each of those sectors.
In the case of uh Health ISAC,we've been around since 2010, so
15 years at this point.
First ISAC uh was the financialservices ISAC that got launched
in 20 in 1999.
So they've uh they've beenaround for over 25 years now.
SPEAKER_02 (04:00):
Yeah.
So my first interactions withthe ISACs is when I was in
government.
Um, you know, I spent some timeat NIST and with the National
Security Council and you know,really started to engage with
that community and and see thevalue in it.
And I think one of the thingsthat I really had to learn was
what did we really mean when wesay information sharing, right?
(04:21):
Because you know, you put thosetwo words together, great,
information sharing.
That sort of makes sense, andand everybody can sort of
conceptually understand whatthat means.
Um, but I never really fullyappreciated what we were really
talking about when we talkinformation sharing, um,
particularly in the context ofcritical infrastructure.
And and so maybe maybe if youcan spend just a few minutes on
(04:42):
when you say informationsharing, what does that mean to
the healthcare sector?
What does that mean to the ISAC?
Um, and I think importantly toyour members, right?
Because you're you're made upof, I forget what the number is,
but it's a large number ofhealthcare organizations from
all over the country and reallyaround the world, right?
SPEAKER_01 (04:59):
Right, right.
SPEAKER_02 (05:00):
Yeah.
SPEAKER_01 (05:01):
Yeah, so uh yeah, so definitely an interesting issue
there.
And and I think what it boilsdown to really, I'd I would kind
of separate it into like threegeneral buckets when we talk
about information sharing ingeneral.
And if we just think abouttactical, strategic, and
operational, and I can just giveyou high-level examples of each
one of those without gettingsuper technical.
(05:21):
But on the tactical side, theidea is like if if I'm seeing an
attack, if I get a maliciousemail, I can take that
information and share it withour peer organizations and help
them use that kind ofinformation to look to see have
they been attacked by thesethings, have they seen them in
their own environment to try tobetter protect the organization?
(05:43):
And by tactical, I mean thingslike maybe IP addresses or the
subject lines of that maliciousemail, or maybe uh where that
malicious email came from, whatwas the from address on there,
or even file attachments, forexample.
Anything that I can use todescribe very specific email or
IP address information, forexample, could be very helpful
(06:06):
for others to protect theirorganizations.
Um, on the strategic side, youknow, and going up like 30,000
feet from that viewpoint, it'syou know, what what trends are
we seeing in attacks now?
What different methods, forexample, are the bad guys using
to run these attacks?
What new innovative techniquesare there do are they doing?
(06:27):
You know, just as an example,like almost every day, right,
we're hearing about a new scamand uh and what's sort of the
twist on it that that we haven'theard before.
So if you can kind of thinkabout it that way, that's some
of the things that we mightshare from a from a strategic
standpoint.
SPEAKER_02 (06:42):
Yeah, I think that's a really oh sorry, let me just
real quick, because I thinkthat's a really important one,
right?
That that really everybody,regardless of of what sector
you're in, regardless of whetheryou're a lawyer or a technical
person, I think everybody reallyappreciates how quickly the the
the attacks change, how umquickly we get targeted.
Certainly those of us who areworking in the healthcare
(07:04):
sector, we're targeted all thetime.
And it's it's effectivelyimpossible, I think, for any one
organization to keep up on theirown, right?
Yeah, because we're all underattack.
We gotta have that collectivedefense.
SPEAKER_01 (07:17):
And and every time we do a threat report, it feels
like it just gets worse everyyear.
It never gets better.
And it's like the things that welearned 20 years ago, you still
have to worry about today.
And then, of course, with thingslike artificial intelligence,
AI, it the problem gets worseevery day.
So never a good story there.
Um, so John, the last thing Iwas going to bring up was
operational sharing.
(07:38):
So things like best practices,um, uh survey information,
right?
We can send a pulse check out tothe uh community to say, hey,
how are you handling thisproblem?
Or where in the organizationdoes the CISA report to, or how
much are you spending oninformation security?
Even surveys like that can besuper helpful and demonstrate
best practices that others mightwant to pick up on.
(08:00):
And then even doing things likesharing document templates.
Like if somebody has a templatefor a process or a policy, just
being able to share that out tothe community so that they can
kind of get a head start ontheir own and develop something
from there.
But I think you know, the otherpiece of this, the other
dimension on the tactical,strategic, and operational that
I'll just leave you with here isthat it's also about sharing
(08:23):
these things during steadystate.
So when we're not under attack,but then also during the
incidents, which I think is oneof the most important places
where we should be sharingactively.
SPEAKER_02 (08:33):
Yeah.
Yeah, and it's I'm glad youbrought that up because that was
as somebody who sort of came atthe ISACs, you know, from the
outside, um, particularly when Istarted working with you all at
the health ISAC six, seven yearsago now, um, you know, I had it
in my head that, okay, ISACs,I've heard about that, and you
know, they're really just doingthreat indicators and all this
(08:55):
like technical stuff andwhatever.
Um, but I really did come toappreciate how much of the
sharing that was happeningreally was that steady state or
that proactive of just like,hey, I'm doing something this
way and it's working great forme at my hospital.
If you are also working at ahospital, you should consider
this, right?
Because it's this is somethingthat I'm doing.
(09:16):
And so, you know, watching thoseinteractions and realizing and
and seeing the ISAC create asafe space, and we'll come back
to to why it's a safe space herein a minute, but creating that
safe space for people to be ableto share openly um was an
eye-opener for me and you know,really gratifying to see, you
know, just how much peopleappreciated that.
SPEAKER_01 (09:37):
Yeah, I love that you brought that up because I'm
constantly thinking that that umthe working groups and those and
those smaller um groups gettingtogether to share ideas and
learn from each other.
I think to me it's probably oneof the best experiences I had
when I was on the financialservices side and learned so
much, not not even justtechnically, but also about uh
(09:59):
leadership and management andoperating under incidents, just
watching other people and again,just from a personal
professional standpoint, helpedme out tremendously from a
growth perspective.
SPEAKER_02 (10:10):
Yeah.
So let's let's I think we'll wecan come back to some um other
other benefits as we go throughthis.
But I I want to think a littlebit, you know, given the folks
that are are listening to thepodcast today, watching the
podcast, and and trying to putmyself in their shoes, which
having now worked at a law firmfor 10 years, um, I certainly
have learned how to put myselfin the shoes of lawyers, you
(10:32):
know, both inside and outsidecounsel.
And so if I'm sitting here andI'm listening to all this and
that sounds great, informationsharing's great, um, there's a
lot of these great benefits, butI might also start thinking
about well, but aren't weputting ourselves at risk,
right?
If our if our company is sharinginformation about an incident
that we're having or about ourinternal practices with others,
(10:56):
um, I might start to feel alittle concerned about that,
right?
Because my job as whether I'minside or outside council, my
job is to protect myorganization from liability,
protect them from potentialharm.
And so we do hear a lot of this,right?
So you and I have heard this nowover the last several years,
we've been working on thisissue.
So we do hear a lot of thosepieces.
(11:16):
So I wanted to kind of turn ourattention to that a little bit.
Can you give just just give meyour perspective?
And then I'm happy to sharemine.
Amongst your membership oramongst companies you run into
in the healthcare sector, whatsort of pushback do you get from
that sort of legal regulatorycompliance side that you think
would be worth tackling here?
SPEAKER_01 (11:37):
Yeah, I I think uh the um the bit the biggest one
that I that I want to bring up,and I really want to hear your
perspective on this, is um thebiggest issue I see is when
there's an incident.
When an organization, maybe ahospital is a great example.
Hospitals have been targeted byransomware, they are under
attack, and systems are startingto shut down, and they're having
(11:59):
to divert patients to other uhhot local area hospitals.
Um to me, that is the opportunemoment to be able to share
information about that attack.
What are they seeing?
What um what were the indicatorsof the attack itself?
What are you know, what did itcome in from an email?
(12:21):
Did somebody click on somethingand suddenly computers are
infected?
To be able to share that kind ofinformation as quickly as
possible could lead to all kindsof other benefits for them.
And we'll get into that later, Iknow.
But to me, that's that's thetoughest part I see is when
organizations like that getattacked and they get shut down
from a communication standpoint.
(12:43):
There, people are told theycannot talk to anybody, they
shouldn't be speaking withanybody, and that would include
uh potentially sharinginformation to one of these uh
ISACs or other communities.
And yeah, and again, I thinkit's a lost opportunity.
SPEAKER_02 (12:57):
Well, yeah, absolutely.
And in your specific example,um, I mean, that's that
immediately gets to patientsafety, right?
Because now if you look at theway these attacks often occur,
and I this is this is whatyou're highlighting.
So great, or not great, hospitalgets hit, they start to divert
patients.
(13:17):
Um, if the hospital they'rediverting patients to then gets
hit, then what, right?
So you get this sort ofcascading problem.
Whereas in your example, if theydo start sharing information,
maybe that second hospital won'tget hit or the damage won't be
quite as bad, and they'll beable to take patients.
And so immediately in that inthat crisis, you're immediately
helping patient safety just bysharing what ultimately what you
(13:40):
and I know is is fairly basicinformation, fundamental
information about the attack.
SPEAKER_01 (13:46):
Yeah, and John, the other big point there on that
example you brought up was theycould potentially share
something and then learn fromothers who have had a similar or
maybe the same attack, and theycan learn how they recovered and
got back up to speed quicker,and that could help you know the
victim here uh you know get backup to speed even faster.
SPEAKER_02 (14:07):
Yeah, no, exactly, exactly right.
So I'll put my lawyer hat backon, um, reminding everybody I'm
not a lawyer.
There's no legal advice here.
Um, but I'll put my lawyer hatback on.
And so I get it, that makessense.
Patient safety, some things thatwe can share.
Um, but I'm still concerned inthe broader sense, right?
Because our hospital, or maybe,maybe let's pivot to say a
(14:29):
biopharmaceutical company,right?
So our pharmaceutical company,we have a lot of intellectual
property, we're heavilyregulated, um, both, you know,
particularly if we're amultinational.
I'm sitting here, I'm thegeneral counsel or I'm outside
counsel, I'm responsible formanaging all of this, keeping us
out of trouble.
Um, and I get nervous when myCISO or somebody says, hey, I
(14:53):
want to share this information.
Um, let's put it into thecontext of the ISAC, right?
Because I think here in the US,the health ISAC and its its
corollaries, you've got somepretty specific structures to
help reduce that potentialliability or reduce that risk.
And I think it would beimportant for folks to
understand that.
(15:13):
So just dive into that a littlebit.
SPEAKER_01 (15:15):
Yeah, no, I I think uh, you know, one of the
benefits there with the ISAC isthat you know ultimately you can
share something uh anonymously.
So we have mechanisms that orour member organizations can
share information about anincident, for example, or
anything else that they want toshare with us.
And they can they canessentially um log in securely
(15:36):
to our portal, indicate to theportal that they do not want
attribution or identity, they donot want to be identified.
They can create that record,share what they want to share,
submit it.
And in in in every ISAC that Iknow uh works this way, where
that information willessentially go to an analyst
(15:56):
team, they will review it, vetit, make sure if it's marked as
um as anonymous, they will makesure it does not include any
identifying information uh thatthat was maybe accidentally
submitted by that person.
They'll double check it and thenthey will turn it around and
share it with their respectivememberships.
So we've got a way to ensurethat you know that organization
(16:18):
member can submit something andensure anonymity for them while
helping it protect the rest ofthe community.
SPEAKER_02 (16:24):
Yeah.
Um that's that's perfect.
And I think that that is one ofthe real powers of the ISACs,
um, health ISAC in particular,that you know, sometimes not
everybody realizes, right?
They don't realize you knowthere are these protections,
processes put in place toencourage sharing and protect
the organizations um that aredoing doing the sharing.
(16:46):
And so I think that's really,really important.
So I appreciate that one.
Um what else from yourperspective would you say?
And I've got some thoughts I candive into if you want, but is
there are there otherperspectives on things you hear
from organizations who are like,well, we we joined the ISAC or
we want to join the ISAC, butwe're concerned about sharing
and we're concerned about theserisks.
(17:07):
Is there anything else that youwant to kind of hear or that you
do hear from people that youwant to highlight?
SPEAKER_01 (17:12):
Yeah, I I think that um, you know, as I sort of
indicated in the beginning, whenyou have uh someone in the
organization, maybe it's theCISO goes to council and says,
hey, we want to share with ourpeer organizations, there
there's there's not enoughdefinition to what does that
mean.
You know, it's your pointearlier.
Yeah.
And I and I think that that ifwe're able to specifically
(17:34):
define, you know, these are theexact kinds of things that we
want to share, some of theexamples that I mentioned
earlier, like IP address oremail information, or maybe it's
a best uh high-level descriptionof a best practice or a uh
policy template.
If we can get down to thatgranular level and talk to um a
council about that, for example,hopefully put their minds at
(17:57):
ease that the kinds of thingsthat we're talking about sharing
here are not necessarily goingto put the firm at risk.
SPEAKER_02 (18:04):
I absolutely love that.
And what I like about it is whowhoever you are that's listening
to us out there, maybe you're onthe council side, maybe you're
on the the CISO or the technicalside, what Errol just said, um,
it it works, works for all ofyou, right?
Because the key there is if asan organization we want to do
sharing, we need to be definingwhat that is.
(18:25):
So if you're the CISO and youneed to go to your council, be
ready, right?
Be ready with specifics.
Don't just go and say, yeah, Iwant to share a bunch of
information, just sign thedotted line.
No, go with specifics about whatyou're talking about.
And if you're on the councilside, inside or outside, you
know, understand that you canask those questions.
Ask them specifically, what isit that you want to share?
(18:46):
So, yeah, it takes a little bitof work to get it set up and get
it working.
But I think if we go back tosome of our earlier discussion,
the benefits, not just toindividual organizations, but
the benefit to the sector atlarge, I think is so valuable.
And I think that's one of thethings that I love about working
with the Health ISAC is thatshared sense of mission, right?
(19:08):
I mean, you and I were inCalifornia last week at the
Health ISAC Summit, you know,with hundreds and hundreds of
people, um, many of whom aredirect competitors, day over
day, fierce competitors, yetthey're able to come together,
work together, because even ascompetitors, they recognize that
information sharing,collaborating on these shared
challenges, um, is really theonly way that they can be
(19:31):
successful.
And it's so great to see.
And I'm sure you probably feeland see the same thing.
Oh, yeah.
Yeah.
So I wanted to bring up a topicjust so we don't run out of
time.
It's just a 2015.
So some of you, if you followinformation sharing at all, or
if you just follow sort of whatgoes on inside the US government
(19:52):
uh at the moment, uh, which is alot, um, we we have this law
called the CybersecurityInformation Sharing Act of 2015.
Not to be confused with CIS ofthe Agency, but it's a whole
separate act that came out in2015.
And one of the reasons that thatact was created, CISA 2015, was
in order to encourage sharing byputting into law protections
(20:15):
around sharing between privatesector and government, as well
as a little bit between theprivate sector.
This has become a big issuebecause CISA 2015 had a 10-year
lifespan.
It expired, they've renewed ituntil the end of January,
temporarily for the continuingresolution.
We won't get into how governmentworks.
But nevertheless, you know,there's some real concern around
(20:36):
if the CISA 2015 doesn't getrenewed, the the lack of legal
protections, I think a lot ofpeople feel like, well, boy,
that's really going to put achilling effect on information
sharing.
But Errol, I'll turn this backover to you.
I think you would argue that wehad information sharing before
(20:57):
CISA 2015, excuse me, andinformation sharing can continue
regardless.
SPEAKER_01 (21:01):
Right.
Yeah, I think that's yeah,that's exactly where I would go.
Um, you know, as I mentionedearlier, the FSIS Act started in
1999.
Um, and clearly we were activelysharing information way before
CISA 2015 ever came into being.
But I will say that that I wasdefinitely a proponent of it
when it was being talked about.
Glad to see that it got passeduh back in 2015, because I think
(21:24):
it kept the momentum moving inthe right direction.
As we've talked about, you know,information information sharing
sounds great, but there'sdefinitely challenges with it.
There's it's hard to get peopleinvolved for all the reasons
that we've talked about andmore.
And I think that uh when system2015 came along, it helped with
the momentum.
And it when it was threateningto uh expire uh at the end of
(21:46):
September in uh 2025, you know,we we didn't want to lose that
momentum.
So we wanted definitely to seethat continue.
SPEAKER_02 (21:55):
Yeah, and I I think, yeah, no, no, I think that's
right.
And I and I think that's animportant, an important piece of
this, and it's something thatyou know a lot of us across the
information sharing community umin the broadest sense have
really been communicating togovernment, right, to Congress
to say, look, um, you know, weneed we there are reasons why
CISA 2015 is helpful, and here'swhat they are.
(22:18):
I I would say, just to even puta finer point on that, um, you
know, I've talked with a numberof my attorney colleagues at
Venable and and uh across theprivate sector.
And one of the things that I'velearned about the legal
community is they they do liketo be able to put their finger
on something very specific,right?
(22:38):
So when you have a law that saysdoing this thing is okay, then
great, we have a law, we've gotlegal protections and so on.
Um, regardless of whetherthere's other ways of doing it,
just having the law is reallyhelpful.
And so I do think that's just a2015.
I agree with you, it did helpgrease the wheels a little bit,
it did help the momentum keepgoing.
(22:59):
Um, and I am hopeful that theywill renew it in the simplest
sense for exactly that reason.
But nevertheless, I think thereare other ways, if it goes away,
that we can help the legal andcompliance community to be able
to put their fingers on thingsand say, okay, I see
specifically why we would beprotected here, whether it's
through NDAs, working throughthe ISACs, um, and so on, or
(23:21):
perhaps other kinds oflegislation.
And there are a number of thingsthat you can do.
And I before we before I forget,so that I don't forget before we
get to the end, um, the HealthISAC and Venable and some other
organizations have been workingon a white paper that gets into
some of these topics, includinga lot of the additional legal
(23:44):
protections or legal pathwaysaround information sharing.
So, um, Errol, let's go back toyou know some of the other, um,
some of the other benefits.
I know you've had some specificexamples made in your career,
both in the financial servicessector as well as in the
healthcare sector.
People love stories, so maybejust a couple minutes of a story
(24:06):
where information sharing, youknow, led to some really
positive and tangible benefits.
SPEAKER_01 (24:11):
Yeah, I can definitely bring up a few.
So uh so kind of you know,reaching back way back um in the
career, going back to thefinance sector days, um, in the
fall of 2012.
Uh you may recall that thefinance sector was under attack
by a allegedly by a hacktivistgroup called the Al Qassan
(24:32):
Cyberfighters, which in turnturned out to be the the Iranian
government, who was essentiallyfighting back against the um
sanctions that were placedagainst them and the whole uh
nuclear uh arms race that washappening at the time.
And and so that um essentiallythat hacktivist group front was
(24:52):
launching distributed denial ofservice attacks against the
finance sector.
What does that mean?
They used malware to gaincontrol of thousands of
computers all over the world,pointed them at banking websites
with the idea of justoversaturating the websites so
that they would becomeinoperable.
And they were successful.
(25:13):
Um, like I mentioned before,they I was at Citibank at the
time, and we were watching thisactivity happening at other
organizations that were beingtargeted by them.
This group announced exactly whothey were going after, when and
where, and uh they were throwinga lot of um uh uh denial service
traffic at these organizations,volumes that nobody had ever
(25:36):
seen.
I mean, an industry was bornessentially being able to create
like an anti-DoS service as aresult of what happened here.
But the banks were really havinga hard time in some cases uh uh
mitigating some of the threatsthat were happening at the time.
And so I think, you know, frommy time in the trenches there
and working through thefinancial services ISAC at the
(25:59):
time, uh banded together withthe other banks, and we were
sharing, actively sharinginformation about the attack
types, what we saw, what theimpact was happening, and then
the methods that people wereusing to try to uh mitigate
those attacks.
And and and that became wildlysuccessful in terms of trying to
really help protect each other.
So uh during the attacks, wewere able to quickly share that
(26:22):
information and then get it outto the broader community in case
you were being targetedtomorrow.
Uh you could use some of thesemethods.
So that was that was reallypretty neat um uh experience uh
going way back then.
And there's I can I can gothrough some other afternoon,
right?
SPEAKER_02 (26:41):
Yeah, no, I I I think that's I think that's
great.
And I think you know the the thetakeaway that I have from that
and and from other you knowother circumstances, again, it
comes back to and we touched onthis a little bit um earlier as
well.
We're all under attack bylargely the same people using
largely the same methods.
(27:02):
Yes, it evolves.
Um, some attackers, bad guys aremore sophisticated than others.
I realize that they're I'mmaking a bit of a
generalization, but the realityis if you're a hospital or
you're a drug manufacturer or amedical device manufacturer, or
if you're supporting thosecompanies, they're all being
attacked constantly by theessentially the same threat
(27:24):
actors, same group of threatactors uh day over day.
And I think that's why it's soimportant to recognize if we're
getting attacked by the samepeople in the same way, we need
to defend ourselves together.
And that's what's great aboutthat story you told.
It comes back to that idea ofbanks are super competitive with
one another.
(27:44):
They are spending a lot of timetrying to put each other out of
business, but yet they're ableto set that aside to say we
can't function at all if wecan't get control or if we can't
fight back against these badguys or push back against these
bad guys.
And I think that has been such apowerful, powerful thing that's
been enabled by just thewillingness of those
organizations to share.
(28:05):
And I know we're seeing it inhealthcare as well, right?
Again, not through the ISAC andworking with partners like
Microsoft and others and lawenforcement to be able to really
say, look, we can work together,we can share information between
private sector and governmentand make things work.
And that's where I was goingwith that was to see if you
wanted to share a little bitabout, you know, how does the
health ISAC interact withgovernment partners directly or
(28:28):
indirectly?
You know, what does that looklike and how does that sharing
sharing work?
SPEAKER_01 (28:34):
Yeah, I mean, we've got a number, like I mentioned
earlier, thinking about sort ofsteady state.
You know, we've got a number ofoutreach programs in place where
we have analysts gettingtogether on a regular basis,
public-private sector um againjoining each other and sharing
notes about what we're seeing,what our experiences are in
terms of new threats or currentthreats and new trends that
(28:54):
we're seeing, and being able toshare and learn from each other.
And again, that's happening atthe analyst level.
Uh, likewise, the leadership isgetting together on a regular
basis, uh, probably throughthings like the Sector
Coordinating Council, which is asister agency of ours.
But um it there are definitelyseveral forums where we can get
(29:15):
together with, in the case ofhealthcare, get together with
our counterparts at HHS or CISAor even law enforcement, and um
being able to work with eachother on a regular basis.
And then during the incidenttimes, it's being able to, you
know, it it's great to be ableto know who to call, for
example, and be able to gettogether with them quickly when
(29:38):
things are happening.
I can think about the probablyone of the big ones that we had
in 2024 was the changehealthcare incident and and what
was happening then.
And and here's a situation wherethe the help from the government
was definitely needed um to helpuh bail out some of the cash
flow problems that we're havingthat were happening as a result
(29:58):
of that incident as well.
But you know, it was definitelya place and time for all of that
and some some really goodrelationships that uh we've been
able to make.
SPEAKER_02 (30:06):
Yeah, and I think that's so important too, right?
Because um, you know, one of thewell, let me let me ask you a
question.
So if I'm I'm uh I'm a CISO, I'mat a hospital, I have some
information that I want to sharewith law enforcement, um, but
maybe I'm feeling nervous aboutit.
Can I work through the ISAC?
If I'm an ISAC member, can I getthat information to you and you
can kind of pass it on to lawenforcement anonymously, if you
(30:28):
will?
SPEAKER_01 (30:29):
Yeah, I'd say we do that uh quite a bit, actually.
SPEAKER_02 (30:32):
Yes.
Yeah, I think that's great.
And I think that that's thatthat's something that I think a
lot of organizations wouldappreciate, particularly if they
are nervous about sharingdirectly, but also want to help
the community, they want to helptheir their peers.
Um, again, it's another sort ofa great thing that the ISAC does
really well, which is awesome.
Um, so what else haven't wecovered that you wanted to touch
(30:57):
on?
Um, anything from yourperspective, things that you're
seeing on a regular basis, orjust things that you think you
know our audience here uh mightlike to know in terms of
learning more or getting morecomfortable with the idea of
sharing?
SPEAKER_01 (31:09):
Yeah, I mean, I'm excited to see that uh white
paper that you mentioned get outand start to get some
circulation and see if we canget some feedback from the
audience here as well.
But uh, you know, as you and Ihave worked before, I think that
to me is sort of a critical partin terms of trying to help
organizations make informationsharing, not just the legal
decision, but also more of abusiness decision in general.
(31:32):
You know, by talking about a lotof the positives that we've
mentioned here today, hopefullyuh it moves the needle in the
right direction when it comes toorganizations wanting and being
able to participate in theseinformation sharing networks.
SPEAKER_02 (31:46):
Yeah, no, I think that's right.
And I think um, you know, one ofthe things that I highlight a
lot and that, you know, in theyears I've been working with the
Health ISAC and getting to knowso many great people is seeing
the benefit inside anorganization when they can work
together, when the legal side,the technical side, you know,
(32:06):
under the under the guidance ofmanagement, obviously, but where
they they recognize that look,we're we're both different parts
of the risk management engine ofour company, right?
Or or our organization.
And we need to work together tohelp define things like
information sharing, which wetalked about, to find a path
towards doing the right thing,because it does help our
organization.
(32:27):
I've also seen the opposite ofthat, right?
Where I've talked to bothlawyers and technical folks,
CISOs, who are like, I can't getmy, you know, if I talk to a
lawyer, they're like, my CISOwon't talk to me, right?
They won't share with me.
They just think all I want to dois say no all the time.
Um, and so I see that a lot.
And I think, you know, one ofthe key takeaways I would have
for folks listening today isregardless of where you sit in
(32:50):
your organization, if you have astake in this or uh or whatever,
you know, go and reach acrossthe aisle, if you will, right?
Reach across to these otherbusiness units and think about
how we can work together to bothhelp us and and to help our
communities.
Because I just I think that's soimportant to figure that out.
And when it's done right, itworks really, really well.
Would you agree?
SPEAKER_01 (33:11):
Yeah, no, absolutely.
And what I would add to that is,John, I mean, you know, some of
the um things that are going tobe in that white paper that you
talked about are already inanother paper that you and I
worked on, the sharing bestpractices.
But the the idea in that paperum that I'll that I'll mention
is one of the little tips thatwe talk about in there is
(33:32):
working with your legal counseland maybe even inviting that
team to participate in atabletop exercise, for example.
And that was one of the things Idid when I was in the banking
sector is uh inviting legalcounsel, internal counsel to uh
some of those internal tabletopsand sitting around and and
watching what happens in anincident, understanding what's
(33:54):
going on uh internally, and thenworking with others externally,
including the ISAC and what thatexperience is like, and having
them at the table is just youknow such a great way to do
that.
SPEAKER_02 (34:03):
Yeah, I'm really glad you brought up exercises
because they are such apowerful, powerful tool.
Um I I do I do them quite a bitthrough my capacity at Venable
for our clients, but also youand I have worked on several
together within the healthsector.
And you know, it's such it issuch a powerful tool, whether
you're doing it internally orinterestingly enough, um even
(34:26):
outside the context of thehealth ISAC, where we bring
together lots of companies,government agencies.
Just at the summit last week, Isaw a presentation by some of
your members, uh, threedifferent companies, I think,
that work together, um, ahospital system, a medical
device manufacturer, and I'mforgetting who the third one
was, but the three of them cametogether and they ran an
(34:46):
exercise, right?
Because they recognize thosecritical dependencies.
And if there is going to be anincident or something that's
gonna impact patient care, beingable to work together.
So I do think exercises are uhhugely valuable and really,
really important to bemultifaceted where it's not just
the CISO and his or her team,it's bringing in legal, it's
bringing in compliance andmanagement, sometimes even the
(35:08):
board or so on.
So it's uh it really is apowerful thing.
SPEAKER_01 (35:12):
Yeah, as you talked about before, you know, reaching
across the aisle, there's nobetter way to do that than
getting them all in the sameroom.
SPEAKER_02 (35:18):
Yeah, exactly.
Exactly.
And I'll say just sort of thefinal note on that as we look to
wrap up, I would say too thatyou know, one of the things that
you and I have been doing isexpanding the view of our sector
exercise as well, right?
We've spent a lot of yearsfocused inside healthcare.
Uh, and now we're starting tolook at, well, what are the
dependencies between healthcareand water or healthcare and
(35:40):
energy?
And again, broadening thataperture a little bit so that
we're not just sharing withinour sector, but we're sharing
between sectors, right?
We're now being by understandingwhat are those dependencies, we
can define better how and whatwe want to share with companies,
organizations outside of oursector, which I think is just
increasingly important.
(36:00):
So um, all really good stuff.
So um, Errol, let me give youthe floor again.
Any sort of final comments,anything that we didn't cover,
or you know, something you'dreally like to share with folks,
or or maybe just anotheranecdote, whatever, whatever
works for you.
SPEAKER_01 (36:14):
Yeah, no, what I'd love to just leave folks with is
uh if um if you're in the healthsector, uh we'd love to have you
as a health ISAC member.
Um you may already be a member,which uh is certainly a case, or
you may be working for a clientwho is already a member, and
there's uh definitely ways tofind that out.
Uh, if you're not in the healthsector, there is definitely an
(36:35):
ISAC for you on the NationalCouncil of ISACs.
If you visit their webpage, uhthey will point you in the right
direction in terms of trying tofind out about some of the other
ISACs that are available.
SPEAKER_02 (36:46):
Yeah.
No, that's great.
And I'll I'll just add to thattoo whether whether your
organization is a member oryou're interested in becoming a
member, there are increasinglyresources for folks that are
outside of the traditionaltechnical as well, right?
So um I'll just mention uh, youknow, we we stood up uh a
cybersecurity regulatorycompliance working group
(37:08):
recently, which, yeah, it'stalking about technology, but
it's talking about in thecontext of global regulation.
And this is an area where we'vestarted to see more folks from
corporate compliance or even acouple of legal folks show up
and say, I'm responsible forthis.
I for my company, I need tounderstand this better.
So even if you're not atechnical person watching this
(37:30):
today, um, you may find that theISAC has a lot of resources and
a lot of great ways tocollaborate.
So certainly encourage you to dothat.
Um, so with that, I'll just saythank you.
Um very much appreciate uh youall spending time with us here.
Uh hopefully you learned a lot,um, at least enough to get you
interested.
So again, thank you very much.
(37:50):
Appreciate the time, and uh,hope you all have a great day.
SPEAKER_00 (37:57):
If you enjoyed this episode, be sure to subscribe to
AHLA Speaking of Health Lawwherever you get your podcasts.
For more information about AHLAand the educational resources
available to the health lawcommunity, visit American Health
Law.org and stay updated onbreaking healthcare industry
news from the major mediaoutlets with AHLA's Health Law
Daily Podcast, exclusively forAHLA comprehensive members.
(38:20):
To subscribe and add thisprivate podcast feed to your
podcast app, go toamericanhealthlaw.org slash
daily podcast.
This episode of AHLA's Speaking of Health Law is
sponsored by Venable.
For more information, visitvenable.com.
SPEAKER_02 (00:16):
All right, well, welcome everybody to our
discussion on informationsharing in the healthcare sector
today.
My name is John Banghardt.
I'm a senior director forcybersecurity services at the
law firm Venable.
I think it's worth noting that Iam not an attorney, so you might
be surprised to find thatthere's non-attorneys working at
a law firm.
(00:37):
But we established a team ofcybersecurity professionals at
Venable over 10 years ago now.
And it's been a tremendouspleasure to be there for almost
that entire time.
And part of the great thing thatI get to do in my job is, in
addition to working withlawyers, is getting to work
across a lot of really greatcommunities.
And one of my great clients andfriends joins me today, Errol
(01:01):
Weiss.
Errol, let me kick it over toyou.
Tell us a little bit aboutyourself, your background, tell
us what an ISAC is, and thenwe'll kind of get into the topic
here.
SPEAKER_01 (01:10):
Great, John.
Thanks a lot.
And thanks a lot for having mehere today, everybody.
So my name's Errol Weiss.
I'm Health ISAC's Chief SecurityOfficer.
I've been here for six and ahalf years now in this role.
Prior to that, I was in thebanking and finance sector for
13 years between places likeCitibank and Bank of America.
When I was at Citibank duringthat time frame, I created and
(01:31):
ran their global cyber threatintelligence organization
delivering threat intelligenceto thousands of internal
customers worldwide.
So had a lot of fun andinteresting uh experiences
there.
And got to work with anotherISAC, the Financial Services
ISAC during that time as well.
So uh as John alluded to, whatis an ISAC?
(01:52):
It stands for InformationSharing and Analysis Center.
And it's a it's a concept thatwas created in way back in the
mid-1990s after a federal uhgovernment study found that much
of the critical infrastructurewas owned and operated by the
private sector.
So it was really an idea to helpencourage the private sector to
share incident information bestpractices with each other and to
(02:14):
really help protect thoseorganizations and essentially
the each critical infrastructurefrom what was suddenly becoming
a very threatened uh uh set oftargets in the US.
SPEAKER_02 (02:26):
And hey Errol, let me let me jump in real quick
because I think one of thethings that might be helpful
just for context for folks iswhen we say critical
infrastructure, um, you know,there's very specific
definitions around that, right?
So I think everybody kind ofunderstands that things like
your energy and your water, um,that those are things that are
critical, right, to our dailylives and to our country.
(02:48):
Um, but there's a lot of othercritical infrastructure sectors
too, like healthcare, forexample, financial services,
transportation.
And so it's a really interestingmix.
And I think it was um justwanted people to understand that
there's what is it, like 16 or17, I think, defined critical
infrastructure sectors now.
SPEAKER_01 (03:04):
I think 16 is the right number, yeah.
SPEAKER_02 (03:06):
Yeah, 16.
So it's it's interesting.
And I think um, you know,obviously healthcare is one that
touches on everyone's lives, uh,and it certainly is is critical
to all of us.
So just just wanted to add thatcontext, but please keep keep
going.
SPEAKER_01 (03:21):
Yeah, actually, I think that uh that that's a
pretty good background about theISOCs themselves.
They're all very different fromeach other, and I think because
they're really laser focused oneach of those sectors that they
support.
But essentially at the core,they do promote information
sharing, best sharing bestpractices, sharing incident
information amongst the membersinside each of those, uh inside
(03:43):
of each of those sectors.
In the case of uh Health ISAC,we've been around since 2010, so
15 years at this point.
First ISAC uh was the financialservices ISAC that got launched
in 20 in 1999.
So they've uh they've beenaround for over 25 years now.
SPEAKER_02 (04:00):
Yeah.
So my first interactions withthe ISACs is when I was in
government.
Um, you know, I spent some timeat NIST and with the National
Security Council and you know,really started to engage with
that community and and see thevalue in it.
And I think one of the thingsthat I really had to learn was
what did we really mean when wesay information sharing, right?
(04:21):
Because you know, you put thosetwo words together, great,
information sharing.
That sort of makes sense, andand everybody can sort of
conceptually understand whatthat means.
Um, but I never really fullyappreciated what we were really
talking about when we talkinformation sharing, um,
particularly in the context ofcritical infrastructure.
And and so maybe maybe if youcan spend just a few minutes on
(04:42):
when you say informationsharing, what does that mean to
the healthcare sector?
What does that mean to the ISAC?
Um, and I think importantly toyour members, right?
Because you're you're made upof, I forget what the number is,
but it's a large number ofhealthcare organizations from
all over the country and reallyaround the world, right?
SPEAKER_01 (04:59):
Right, right.
SPEAKER_02 (05:00):
Yeah.
SPEAKER_01 (05:01):
Yeah, so uh yeah, so definitely an interesting issue
there.
And and I think what it boilsdown to really, I'd I would kind
of separate it into like threegeneral buckets when we talk
about information sharing ingeneral.
And if we just think abouttactical, strategic, and
operational, and I can just giveyou high-level examples of each
one of those without gettingsuper technical.
(05:21):
But on the tactical side, theidea is like if if I'm seeing an
attack, if I get a maliciousemail, I can take that
information and share it withour peer organizations and help
them use that kind ofinformation to look to see have
they been attacked by thesethings, have they seen them in
their own environment to try tobetter protect the organization?
(05:43):
And by tactical, I mean thingslike maybe IP addresses or the
subject lines of that maliciousemail, or maybe uh where that
malicious email came from, whatwas the from address on there,
or even file attachments, forexample.
Anything that I can use todescribe very specific email or
IP address information, forexample, could be very helpful
(06:06):
for others to protect theirorganizations.
Um, on the strategic side, youknow, and going up like 30,000
feet from that viewpoint, it'syou know, what what trends are
we seeing in attacks now?
What different methods, forexample, are the bad guys using
to run these attacks?
What new innovative techniquesare there do are they doing?
(06:27):
You know, just as an example,like almost every day, right,
we're hearing about a new scamand uh and what's sort of the
twist on it that that we haven'theard before.
So if you can kind of thinkabout it that way, that's some
of the things that we mightshare from a from a strategic
standpoint.
SPEAKER_02 (06:42):
Yeah, I think that's a really oh sorry, let me just
real quick, because I thinkthat's a really important one,
right?
That that really everybody,regardless of of what sector
you're in, regardless of whetheryou're a lawyer or a technical
person, I think everybody reallyappreciates how quickly the the
the attacks change, how umquickly we get targeted.
Certainly those of us who areworking in the healthcare
(07:04):
sector, we're targeted all thetime.
And it's it's effectivelyimpossible, I think, for any one
organization to keep up on theirown, right?
Yeah, because we're all underattack.
We gotta have that collectivedefense.
SPEAKER_01 (07:17):
And and every time we do a threat report, it feels
like it just gets worse everyyear.
It never gets better.
And it's like the things that welearned 20 years ago, you still
have to worry about today.
And then, of course, with thingslike artificial intelligence,
AI, it the problem gets worseevery day.
So never a good story there.
Um, so John, the last thing Iwas going to bring up was
operational sharing.
(07:38):
So things like best practices,um, uh survey information,
right?
We can send a pulse check out tothe uh community to say, hey,
how are you handling thisproblem?
Or where in the organizationdoes the CISA report to, or how
much are you spending oninformation security?
Even surveys like that can besuper helpful and demonstrate
best practices that others mightwant to pick up on.
(08:00):
And then even doing things likesharing document templates.
Like if somebody has a templatefor a process or a policy, just
being able to share that out tothe community so that they can
kind of get a head start ontheir own and develop something
from there.
But I think you know, the otherpiece of this, the other
dimension on the tactical,strategic, and operational that
I'll just leave you with here isthat it's also about sharing
(08:23):
these things during steadystate.
So when we're not under attack,but then also during the
incidents, which I think is oneof the most important places
where we should be sharingactively.
SPEAKER_02 (08:33):
Yeah.
Yeah, and it's I'm glad youbrought that up because that was
as somebody who sort of came atthe ISACs, you know, from the
outside, um, particularly when Istarted working with you all at
the health ISAC six, seven yearsago now, um, you know, I had it
in my head that, okay, ISACs,I've heard about that, and you
know, they're really just doingthreat indicators and all this
(08:55):
like technical stuff andwhatever.
Um, but I really did come toappreciate how much of the
sharing that was happeningreally was that steady state or
that proactive of just like,hey, I'm doing something this
way and it's working great forme at my hospital.
If you are also working at ahospital, you should consider
this, right?
Because it's this is somethingthat I'm doing.
(09:16):
And so, you know, watching thoseinteractions and realizing and
and seeing the ISAC create asafe space, and we'll come back
to to why it's a safe space herein a minute, but creating that
safe space for people to be ableto share openly um was an
eye-opener for me and you know,really gratifying to see, you
know, just how much peopleappreciated that.
SPEAKER_01 (09:37):
Yeah, I love that you brought that up because I'm
constantly thinking that that umthe working groups and those and
those smaller um groups gettingtogether to share ideas and
learn from each other.
I think to me it's probably oneof the best experiences I had
when I was on the financialservices side and learned so
much, not not even justtechnically, but also about uh
(09:59):
leadership and management andoperating under incidents, just
watching other people and again,just from a personal
professional standpoint, helpedme out tremendously from a
growth perspective.
SPEAKER_02 (10:10):
Yeah.
So let's let's I think we'll wecan come back to some um other
other benefits as we go throughthis.
But I I want to think a littlebit, you know, given the folks
that are are listening to thepodcast today, watching the
podcast, and and trying to putmyself in their shoes, which
having now worked at a law firmfor 10 years, um, I certainly
have learned how to put myselfin the shoes of lawyers, you
(10:32):
know, both inside and outsidecounsel.
And so if I'm sitting here andI'm listening to all this and
that sounds great, informationsharing's great, um, there's a
lot of these great benefits, butI might also start thinking
about well, but aren't weputting ourselves at risk,
right?
If our if our company is sharinginformation about an incident
that we're having or about ourinternal practices with others,
(10:56):
um, I might start to feel alittle concerned about that,
right?
Because my job as whether I'minside or outside council, my
job is to protect myorganization from liability,
protect them from potentialharm.
And so we do hear a lot of this,right?
So you and I have heard this nowover the last several years,
we've been working on thisissue.
So we do hear a lot of thosepieces.
(11:16):
So I wanted to kind of turn ourattention to that a little bit.
Can you give just just give meyour perspective?
And then I'm happy to sharemine.
Amongst your membership oramongst companies you run into
in the healthcare sector, whatsort of pushback do you get from
that sort of legal regulatorycompliance side that you think
would be worth tackling here?
SPEAKER_01 (11:37):
Yeah, I I think uh the um the bit the biggest one
that I that I want to bring up,and I really want to hear your
perspective on this, is um thebiggest issue I see is when
there's an incident.
When an organization, maybe ahospital is a great example.
Hospitals have been targeted byransomware, they are under
attack, and systems are startingto shut down, and they're having
(11:59):
to divert patients to other uhhot local area hospitals.
Um to me, that is the opportunemoment to be able to share
information about that attack.
What are they seeing?
What um what were the indicatorsof the attack itself?
What are you know, what did itcome in from an email?
(12:21):
Did somebody click on somethingand suddenly computers are
infected?
To be able to share that kind ofinformation as quickly as
possible could lead to all kindsof other benefits for them.
And we'll get into that later, Iknow.
But to me, that's that's thetoughest part I see is when
organizations like that getattacked and they get shut down
from a communication standpoint.
(12:43):
There, people are told theycannot talk to anybody, they
shouldn't be speaking withanybody, and that would include
uh potentially sharinginformation to one of these uh
ISACs or other communities.
And yeah, and again, I thinkit's a lost opportunity.
SPEAKER_02 (12:57):
Well, yeah, absolutely.
And in your specific example,um, I mean, that's that
immediately gets to patientsafety, right?
Because now if you look at theway these attacks often occur,
and I this is this is whatyou're highlighting.
So great, or not great, hospitalgets hit, they start to divert
patients.
(13:17):
Um, if the hospital they'rediverting patients to then gets
hit, then what, right?
So you get this sort ofcascading problem.
Whereas in your example, if theydo start sharing information,
maybe that second hospital won'tget hit or the damage won't be
quite as bad, and they'll beable to take patients.
And so immediately in that inthat crisis, you're immediately
helping patient safety just bysharing what ultimately what you
(13:40):
and I know is is fairly basicinformation, fundamental
information about the attack.
SPEAKER_01 (13:46):
Yeah, and John, the other big point there on that
example you brought up was theycould potentially share
something and then learn fromothers who have had a similar or
maybe the same attack, and theycan learn how they recovered and
got back up to speed quicker,and that could help you know the
victim here uh you know get backup to speed even faster.
SPEAKER_02 (14:07):
Yeah, no, exactly, exactly right.
So I'll put my lawyer hat backon, um, reminding everybody I'm
not a lawyer.
There's no legal advice here.
Um, but I'll put my lawyer hatback on.
And so I get it, that makessense.
Patient safety, some things thatwe can share.
Um, but I'm still concerned inthe broader sense, right?
Because our hospital, or maybe,maybe let's pivot to say a
(14:29):
biopharmaceutical company,right?
So our pharmaceutical company,we have a lot of intellectual
property, we're heavilyregulated, um, both, you know,
particularly if we're amultinational.
I'm sitting here, I'm thegeneral counsel or I'm outside
counsel, I'm responsible formanaging all of this, keeping us
out of trouble.
Um, and I get nervous when myCISO or somebody says, hey, I
(14:53):
want to share this information.
Um, let's put it into thecontext of the ISAC, right?
Because I think here in the US,the health ISAC and its its
corollaries, you've got somepretty specific structures to
help reduce that potentialliability or reduce that risk.
And I think it would beimportant for folks to
understand that.
(15:13):
So just dive into that a littlebit.
SPEAKER_01 (15:15):
Yeah, no, I I think uh, you know, one of the
benefits there with the ISAC isthat you know ultimately you can
share something uh anonymously.
So we have mechanisms that orour member organizations can
share information about anincident, for example, or
anything else that they want toshare with us.
And they can they canessentially um log in securely
(15:36):
to our portal, indicate to theportal that they do not want
attribution or identity, they donot want to be identified.
They can create that record,share what they want to share,
submit it.
And in in in every ISAC that Iknow uh works this way, where
that information willessentially go to an analyst
(15:56):
team, they will review it, vetit, make sure if it's marked as
um as anonymous, they will makesure it does not include any
identifying information uh thatthat was maybe accidentally
submitted by that person.
They'll double check it and thenthey will turn it around and
share it with their respectivememberships.
So we've got a way to ensurethat you know that organization
(16:18):
member can submit something andensure anonymity for them while
helping it protect the rest ofthe community.
SPEAKER_02 (16:24):
Yeah.
Um that's that's perfect.
And I think that that is one ofthe real powers of the ISACs,
um, health ISAC in particular,that you know, sometimes not
everybody realizes, right?
They don't realize you knowthere are these protections,
processes put in place toencourage sharing and protect
the organizations um that aredoing doing the sharing.
(16:46):
And so I think that's really,really important.
So I appreciate that one.
Um what else from yourperspective would you say?
And I've got some thoughts I candive into if you want, but is
there are there otherperspectives on things you hear
from organizations who are like,well, we we joined the ISAC or
we want to join the ISAC, butwe're concerned about sharing
and we're concerned about theserisks.
(17:07):
Is there anything else that youwant to kind of hear or that you
do hear from people that youwant to highlight?
SPEAKER_01 (17:12):
Yeah, I I think that um, you know, as I sort of
indicated in the beginning, whenyou have uh someone in the
organization, maybe it's theCISO goes to council and says,
hey, we want to share with ourpeer organizations, there
there's there's not enoughdefinition to what does that
mean.
You know, it's your pointearlier.
Yeah.
And I and I think that that ifwe're able to specifically
(17:34):
define, you know, these are theexact kinds of things that we
want to share, some of theexamples that I mentioned
earlier, like IP address oremail information, or maybe it's
a best uh high-level descriptionof a best practice or a uh
policy template.
If we can get down to thatgranular level and talk to um a
council about that, for example,hopefully put their minds at
(17:57):
ease that the kinds of thingsthat we're talking about sharing
here are not necessarily goingto put the firm at risk.
SPEAKER_02 (18:04):
I absolutely love that.
And what I like about it is whowhoever you are that's listening
to us out there, maybe you're onthe council side, maybe you're
on the the CISO or the technicalside, what Errol just said, um,
it it works, works for all ofyou, right?
Because the key there is if asan organization we want to do
sharing, we need to be definingwhat that is.
(18:25):
So if you're the CISO and youneed to go to your council, be
ready, right?
Be ready with specifics.
Don't just go and say, yeah, Iwant to share a bunch of
information, just sign thedotted line.
No, go with specifics about whatyou're talking about.
And if you're on the councilside, inside or outside, you
know, understand that you canask those questions.
Ask them specifically, what isit that you want to share?
(18:46):
So, yeah, it takes a little bitof work to get it set up and get
it working.
But I think if we go back tosome of our earlier discussion,
the benefits, not just toindividual organizations, but
the benefit to the sector atlarge, I think is so valuable.
And I think that's one of thethings that I love about working
with the Health ISAC is thatshared sense of mission, right?
(19:08):
I mean, you and I were inCalifornia last week at the
Health ISAC Summit, you know,with hundreds and hundreds of
people, um, many of whom aredirect competitors, day over
day, fierce competitors, yetthey're able to come together,
work together, because even ascompetitors, they recognize that
information sharing,collaborating on these shared
challenges, um, is really theonly way that they can be
(19:31):
successful.
And it's so great to see.
And I'm sure you probably feeland see the same thing.
Oh, yeah.
Yeah.
So I wanted to bring up a topicjust so we don't run out of
time.
It's just a 2015.
So some of you, if you followinformation sharing at all, or
if you just follow sort of whatgoes on inside the US government
(19:52):
uh at the moment, uh, which is alot, um, we we have this law
called the CybersecurityInformation Sharing Act of 2015.
Not to be confused with CIS ofthe Agency, but it's a whole
separate act that came out in2015.
And one of the reasons that thatact was created, CISA 2015, was
in order to encourage sharing byputting into law protections
(20:15):
around sharing between privatesector and government, as well
as a little bit between theprivate sector.
This has become a big issuebecause CISA 2015 had a 10-year
lifespan.
It expired, they've renewed ituntil the end of January,
temporarily for the continuingresolution.
We won't get into how governmentworks.
But nevertheless, you know,there's some real concern around
(20:36):
if the CISA 2015 doesn't getrenewed, the the lack of legal
protections, I think a lot ofpeople feel like, well, boy,
that's really going to put achilling effect on information
sharing.
But Errol, I'll turn this backover to you.
I think you would argue that wehad information sharing before
(20:57):
CISA 2015, excuse me, andinformation sharing can continue
regardless.
SPEAKER_01 (21:01):
Right.
Yeah, I think that's yeah,that's exactly where I would go.
Um, you know, as I mentionedearlier, the FSIS Act started in
1999.
Um, and clearly we were activelysharing information way before
CISA 2015 ever came into being.
But I will say that that I wasdefinitely a proponent of it
when it was being talked about.
Glad to see that it got passeduh back in 2015, because I think
(21:24):
it kept the momentum moving inthe right direction.
As we've talked about, you know,information information sharing
sounds great, but there'sdefinitely challenges with it.
There's it's hard to get peopleinvolved for all the reasons
that we've talked about andmore.
And I think that uh when system2015 came along, it helped with
the momentum.
And it when it was threateningto uh expire uh at the end of
(21:46):
September in uh 2025, you know,we we didn't want to lose that
momentum.
So we wanted definitely to seethat continue.
SPEAKER_02 (21:55):
Yeah, and I I think, yeah, no, no, I think that's
right.
And I and I think that's animportant, an important piece of
this, and it's something thatyou know a lot of us across the
information sharing community umin the broadest sense have
really been communicating togovernment, right, to Congress
to say, look, um, you know, weneed we there are reasons why
CISA 2015 is helpful, and here'swhat they are.
(22:18):
I I would say, just to even puta finer point on that, um, you
know, I've talked with a numberof my attorney colleagues at
Venable and and uh across theprivate sector.
And one of the things that I'velearned about the legal
community is they they do liketo be able to put their finger
on something very specific,right?
(22:38):
So when you have a law that saysdoing this thing is okay, then
great, we have a law, we've gotlegal protections and so on.
Um, regardless of whetherthere's other ways of doing it,
just having the law is reallyhelpful.
And so I do think that's just a2015.
I agree with you, it did helpgrease the wheels a little bit,
it did help the momentum keepgoing.
(22:59):
Um, and I am hopeful that theywill renew it in the simplest
sense for exactly that reason.
But nevertheless, I think thereare other ways, if it goes away,
that we can help the legal andcompliance community to be able
to put their fingers on thingsand say, okay, I see
specifically why we would beprotected here, whether it's
through NDAs, working throughthe ISACs, um, and so on, or
(23:21):
perhaps other kinds oflegislation.
And there are a number of thingsthat you can do.
And I before we before I forget,so that I don't forget before we
get to the end, um, the HealthISAC and Venable and some other
organizations have been workingon a white paper that gets into
some of these topics, includinga lot of the additional legal
(23:44):
protections or legal pathwaysaround information sharing.
So, um, Errol, let's go back toyou know some of the other, um,
some of the other benefits.
I know you've had some specificexamples made in your career,
both in the financial servicessector as well as in the
healthcare sector.
People love stories, so maybejust a couple minutes of a story
(24:06):
where information sharing, youknow, led to some really
positive and tangible benefits.
SPEAKER_01 (24:11):
Yeah, I can definitely bring up a few.
So uh so kind of you know,reaching back way back um in the
career, going back to thefinance sector days, um, in the
fall of 2012.
Uh you may recall that thefinance sector was under attack
by a allegedly by a hacktivistgroup called the Al Qassan
(24:32):
Cyberfighters, which in turnturned out to be the the Iranian
government, who was essentiallyfighting back against the um
sanctions that were placedagainst them and the whole uh
nuclear uh arms race that washappening at the time.
And and so that um essentiallythat hacktivist group front was
(24:52):
launching distributed denial ofservice attacks against the
finance sector.
What does that mean?
They used malware to gaincontrol of thousands of
computers all over the world,pointed them at banking websites
with the idea of justoversaturating the websites so
that they would becomeinoperable.
And they were successful.
(25:13):
Um, like I mentioned before,they I was at Citibank at the
time, and we were watching thisactivity happening at other
organizations that were beingtargeted by them.
This group announced exactly whothey were going after, when and
where, and uh they were throwinga lot of um uh uh denial service
traffic at these organizations,volumes that nobody had ever
(25:36):
seen.
I mean, an industry was bornessentially being able to create
like an anti-DoS service as aresult of what happened here.
But the banks were really havinga hard time in some cases uh uh
mitigating some of the threatsthat were happening at the time.
And so I think, you know, frommy time in the trenches there
and working through thefinancial services ISAC at the
(25:59):
time, uh banded together withthe other banks, and we were
sharing, actively sharinginformation about the attack
types, what we saw, what theimpact was happening, and then
the methods that people wereusing to try to uh mitigate
those attacks.
And and and that became wildlysuccessful in terms of trying to
really help protect each other.
So uh during the attacks, wewere able to quickly share that
(26:22):
information and then get it outto the broader community in case
you were being targetedtomorrow.
Uh you could use some of thesemethods.
So that was that was reallypretty neat um uh experience uh
going way back then.
And there's I can I can gothrough some other afternoon,
right?
SPEAKER_02 (26:41):
Yeah, no, I I I think that's I think that's
great.
And I think you know the the thetakeaway that I have from that
and and from other you knowother circumstances, again, it
comes back to and we touched onthis a little bit um earlier as
well.
We're all under attack bylargely the same people using
largely the same methods.
(27:02):
Yes, it evolves.
Um, some attackers, bad guys aremore sophisticated than others.
I realize that they're I'mmaking a bit of a
generalization, but the realityis if you're a hospital or
you're a drug manufacturer or amedical device manufacturer, or
if you're supporting thosecompanies, they're all being
attacked constantly by theessentially the same threat
(27:24):
actors, same group of threatactors uh day over day.
And I think that's why it's soimportant to recognize if we're
getting attacked by the samepeople in the same way, we need
to defend ourselves together.
And that's what's great aboutthat story you told.
It comes back to that idea ofbanks are super competitive with
one another.
(27:44):
They are spending a lot of timetrying to put each other out of
business, but yet they're ableto set that aside to say we
can't function at all if wecan't get control or if we can't
fight back against these badguys or push back against these
bad guys.
And I think that has been such apowerful, powerful thing that's
been enabled by just thewillingness of those
organizations to share.
(28:05):
And I know we're seeing it inhealthcare as well, right?
Again, not through the ISAC andworking with partners like
Microsoft and others and lawenforcement to be able to really
say, look, we can work together,we can share information between
private sector and governmentand make things work.
And that's where I was goingwith that was to see if you
wanted to share a little bitabout, you know, how does the
health ISAC interact withgovernment partners directly or
(28:28):
indirectly?
You know, what does that looklike and how does that sharing
sharing work?
SPEAKER_01 (28:34):
Yeah, I mean, we've got a number, like I mentioned
earlier, thinking about sort ofsteady state.
You know, we've got a number ofoutreach programs in place where
we have analysts gettingtogether on a regular basis,
public-private sector um againjoining each other and sharing
notes about what we're seeing,what our experiences are in
terms of new threats or currentthreats and new trends that
(28:54):
we're seeing, and being able toshare and learn from each other.
And again, that's happening atthe analyst level.
Uh, likewise, the leadership isgetting together on a regular
basis, uh, probably throughthings like the Sector
Coordinating Council, which is asister agency of ours.
But um it there are definitelyseveral forums where we can get
(29:15):
together with, in the case ofhealthcare, get together with
our counterparts at HHS or CISAor even law enforcement, and um
being able to work with eachother on a regular basis.
And then during the incidenttimes, it's being able to, you
know, it it's great to be ableto know who to call, for
example, and be able to gettogether with them quickly when
(29:38):
things are happening.
I can think about the probablyone of the big ones that we had
in 2024 was the changehealthcare incident and and what
was happening then.
And and here's a situation wherethe the help from the government
was definitely needed um to helpuh bail out some of the cash
flow problems that we're havingthat were happening as a result
(29:58):
of that incident as well.
But you know, it was definitelya place and time for all of that
and some some really goodrelationships that uh we've been
able to make.
SPEAKER_02 (30:06):
Yeah, and I think that's so important too, right?
Because um, you know, one of thewell, let me let me ask you a
question.
So if I'm I'm uh I'm a CISO, I'mat a hospital, I have some
information that I want to sharewith law enforcement, um, but
maybe I'm feeling nervous aboutit.
Can I work through the ISAC?
If I'm an ISAC member, can I getthat information to you and you
can kind of pass it on to lawenforcement anonymously, if you
(30:28):
will?
SPEAKER_01 (30:29):
Yeah, I'd say we do that uh quite a bit, actually.
SPEAKER_02 (30:32):
Yes.
Yeah, I think that's great.
And I think that that's thatthat's something that I think a
lot of organizations wouldappreciate, particularly if they
are nervous about sharingdirectly, but also want to help
the community, they want to helptheir their peers.
Um, again, it's another sort ofa great thing that the ISAC does
really well, which is awesome.
Um, so what else haven't wecovered that you wanted to touch
(30:57):
on?
Um, anything from yourperspective, things that you're
seeing on a regular basis, orjust things that you think you
know our audience here uh mightlike to know in terms of
learning more or getting morecomfortable with the idea of
sharing?
SPEAKER_01 (31:09):
Yeah, I mean, I'm excited to see that uh white
paper that you mentioned get outand start to get some
circulation and see if we canget some feedback from the
audience here as well.
But uh, you know, as you and Ihave worked before, I think that
to me is sort of a critical partin terms of trying to help
organizations make informationsharing, not just the legal
decision, but also more of abusiness decision in general.
(31:32):
You know, by talking about a lotof the positives that we've
mentioned here today, hopefullyuh it moves the needle in the
right direction when it comes toorganizations wanting and being
able to participate in theseinformation sharing networks.
SPEAKER_02 (31:46):
Yeah, no, I think that's right.
And I think um, you know, one ofthe things that I highlight a
lot and that, you know, in theyears I've been working with the
Health ISAC and getting to knowso many great people is seeing
the benefit inside anorganization when they can work
together, when the legal side,the technical side, you know,
(32:06):
under the under the guidance ofmanagement, obviously, but where
they they recognize that look,we're we're both different parts
of the risk management engine ofour company, right?
Or or our organization.
And we need to work together tohelp define things like
information sharing, which wetalked about, to find a path
towards doing the right thing,because it does help our
organization.
(32:27):
I've also seen the opposite ofthat, right?
Where I've talked to bothlawyers and technical folks,
CISOs, who are like, I can't getmy, you know, if I talk to a
lawyer, they're like, my CISOwon't talk to me, right?
They won't share with me.
They just think all I want to dois say no all the time.
Um, and so I see that a lot.
And I think, you know, one ofthe key takeaways I would have
for folks listening today isregardless of where you sit in
(32:50):
your organization, if you have astake in this or uh or whatever,
you know, go and reach acrossthe aisle, if you will, right?
Reach across to these otherbusiness units and think about
how we can work together to bothhelp us and and to help our
communities.
Because I just I think that's soimportant to figure that out.
And when it's done right, itworks really, really well.
Would you agree?
SPEAKER_01 (33:11):
Yeah, no, absolutely.
And what I would add to that is,John, I mean, you know, some of
the um things that are going tobe in that white paper that you
talked about are already inanother paper that you and I
worked on, the sharing bestpractices.
But the the idea in that paperum that I'll that I'll mention
is one of the little tips thatwe talk about in there is
(33:32):
working with your legal counseland maybe even inviting that
team to participate in atabletop exercise, for example.
And that was one of the things Idid when I was in the banking
sector is uh inviting legalcounsel, internal counsel to uh
some of those internal tabletopsand sitting around and and
watching what happens in anincident, understanding what's
(33:54):
going on uh internally, and thenworking with others externally,
including the ISAC and what thatexperience is like, and having
them at the table is just youknow such a great way to do
that.
SPEAKER_02 (34:03):
Yeah, I'm really glad you brought up exercises
because they are such apowerful, powerful tool.
Um I I do I do them quite a bitthrough my capacity at Venable
for our clients, but also youand I have worked on several
together within the healthsector.
And you know, it's such it issuch a powerful tool, whether
you're doing it internally orinterestingly enough, um even
(34:26):
outside the context of thehealth ISAC, where we bring
together lots of companies,government agencies.
Just at the summit last week, Isaw a presentation by some of
your members, uh, threedifferent companies, I think,
that work together, um, ahospital system, a medical
device manufacturer, and I'mforgetting who the third one
was, but the three of them cametogether and they ran an
(34:46):
exercise, right?
Because they recognize thosecritical dependencies.
And if there is going to be anincident or something that's
gonna impact patient care, beingable to work together.
So I do think exercises are uhhugely valuable and really,
really important to bemultifaceted where it's not just
the CISO and his or her team,it's bringing in legal, it's
bringing in compliance andmanagement, sometimes even the
(35:08):
board or so on.
So it's uh it really is apowerful thing.
SPEAKER_01 (35:12):
Yeah, as you talked about before, you know, reaching
across the aisle, there's nobetter way to do that than
getting them all in the sameroom.
SPEAKER_02 (35:18):
Yeah, exactly.
Exactly.
And I'll say just sort of thefinal note on that as we look to
wrap up, I would say too thatyou know, one of the things that
you and I have been doing isexpanding the view of our sector
exercise as well, right?
We've spent a lot of yearsfocused inside healthcare.
Uh, and now we're starting tolook at, well, what are the
dependencies between healthcareand water or healthcare and
(35:40):
energy?
And again, broadening thataperture a little bit so that
we're not just sharing withinour sector, but we're sharing
between sectors, right?
We're now being by understandingwhat are those dependencies, we
can define better how and whatwe want to share with companies,
organizations outside of oursector, which I think is just
increasingly important.
(36:00):
So um, all really good stuff.
So um, Errol, let me give youthe floor again.
Any sort of final comments,anything that we didn't cover,
or you know, something you'dreally like to share with folks,
or or maybe just anotheranecdote, whatever, whatever
works for you.
SPEAKER_01 (36:14):
Yeah, no, what I'd love to just leave folks with is
uh if um if you're in the healthsector, uh we'd love to have you
as a health ISAC member.
Um you may already be a member,which uh is certainly a case, or
you may be working for a clientwho is already a member, and
there's uh definitely ways tofind that out.
Uh, if you're not in the healthsector, there is definitely an
(36:35):
ISAC for you on the NationalCouncil of ISACs.
If you visit their webpage, uhthey will point you in the right
direction in terms of trying tofind out about some of the other
ISACs that are available.
SPEAKER_02 (36:46):
Yeah.
No, that's great.
And I'll I'll just add to thattoo whether whether your
organization is a member oryou're interested in becoming a
member, there are increasinglyresources for folks that are
outside of the traditionaltechnical as well, right?
So um I'll just mention uh, youknow, we we stood up uh a
cybersecurity regulatorycompliance working group
(37:08):
recently, which, yeah, it'stalking about technology, but
it's talking about in thecontext of global regulation.
And this is an area where we'vestarted to see more folks from
corporate compliance or even acouple of legal folks show up
and say, I'm responsible forthis.
I for my company, I need tounderstand this better.
So even if you're not atechnical person watching this
(37:30):
today, um, you may find that theISAC has a lot of resources and
a lot of great ways tocollaborate.
So certainly encourage you to dothat.
Um, so with that, I'll just saythank you.
Um very much appreciate uh youall spending time with us here.
Uh hopefully you learned a lot,um, at least enough to get you
interested.
So again, thank you very much.
(37:50):
Appreciate the time, and uh,hope you all have a great day.
SPEAKER_00 (37:57):
If you enjoyed this episode, be sure to subscribe to
AHLA Speaking of Health Lawwherever you get your podcasts.
For more information about AHLAand the educational resources
available to the health lawcommunity, visit American Health
Law.org and stay updated onbreaking healthcare industry
news from the major mediaoutlets with AHLA's Health Law
Daily Podcast, exclusively forAHLA comprehensive members.
(38:20):
To subscribe and add thisprivate podcast feed to your
podcast app, go toamericanhealthlaw.org slash
daily podcast.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Bobby Bones Show
Listen to 'The Bobby Bones Show' by downloading the daily full replay.