January 25, 2025 • 34 mins
Unlock the secrets of healthcare cybersecurity with insights from our distinguished guest, Jason Payne, Sales Director of ANZ at Claroty Healthcare. Delve into the crucial role of digital visibility in safeguarding healthcare environments, especially in the face of the IoT device surge. Jason gives us a glimpse into his career journey and shares his expertise on the vulnerabilities inherent in flat network structures within healthcare organisations. Discover how identifying and managing critical assets can prevent breaches and ensure uninterrupted patient care, a mission at the heart of Claroty Healthcare's approach.
Ransomware attacks are a growing threat, capable of bringing hospital operations to a standstill and jeopardising patient safety. In this episode, we stress the importance of pinpointing weak links and reinforce the value of strong channel partnerships in bolstering security measures. Drawing from personal experiences in the ANZ region, we share strategies for engaging with healthcare providers, navigating the intricate landscape of public sector regulations, and understanding their unique challenges.
Lastly, we explore the cutting-edge world of medical device cybersecurity and innovation, particularly within Australia's SOCI Act framework. With only a select few hospitals meeting SOCI compliance, we discuss the political and financial hurdles of expanding this compliance. Learn how our collaboration with manufacturers, alongside our threat team, Team 82, is paving the way for enhanced network security and visibility. As we wrap up, we touch on the evolution of artificial intelligence, offering fascinating parallels with visionary thinkers, and spotlight the transformative opportunities AI presents for data and network support in the healthcare industry.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Jason Payne (00:01):
It's important to know that security is only as
good as being able to stop theweakest link.
So the weakest link could be asmall IoT or sensor or device
which then gives an adversarythe opportunity to traverse and
potentially shut a hospital downand demand a huge ransom.
Those hospitals particularlyhave to have something in place
(00:22):
to know what those criticalassets are and how they can
report on those critical assetsare, and how they can report on
those critical assets and whatthey're going to do in the event
that there was a breach and howthey're going to remediate that
.
Michael van Rooyen (00:32):
Today I have the pleasure in having a chat
to Jason Payne, who's the salesdirector of ANZ at Claroty
Healthcare.
We're going to be talking allthings around digital visibility
healthcare sector and theunique challenges that faces
that component of the industry.
Jason, welcome to the podcast.
Thank you very much Thanks forinviting me in.
Yeah, I appreciate you coming inand we're catching up fairly
(00:52):
late at Cisco Live and I reallyappreciate the time Before we
start.
Do you mind just spending amoment on your career and your
journey around network securityvisibility and what led you to
your current role as the salesdirector of ANZ for Claroty
Healthcare?
Jason Payne (01:11):
Yeah, so my background as you can probably
tell from my accent, I'm notfrom Australia, so I came to
Australia in 2011.
So I've been here almost 14years and my background was
predominantly channel, so I'vegot a very, very good
understanding of distributionand channel partners.
Right Came to Australia, movedinto distribution to start with
so I could get an understandingof the market, who the partners
(01:32):
were, what they were doing, andthen progressed, obviously into
the vendor vendor land, with myfirst vendor gig working for
Palo Alto, which was there fornearly four years, and after
there moved across to SplunkAgain, national partner manager
looking after a couple of bigpartners there, and then was
presented with an opportunity tojoin Claroty.
(01:53):
So I thought, shall I comeacross to a pre-IPO vendor and
see where that takes me?
So that's brought me here today.
So I've been with Claroty nowfor four years.
I started in their channel toalliances role for the last 12
months.
I've now moved into the salesdirector role for healthcare, so
responsible for thego-to-market, the plan, the
(02:14):
strategy around our healthcareoffering and our healthcare
platform, which some peopleformerly know as Medigate, which
is now Xdome for healthcare.
Michael van Rooyen (02:24):
And if I think about your broad
background there not onlydistribution, which is quite
interesting.
I had a guest recently talkabout that.
It's a unique space, but you'vereally been playing the channel
, which is great, right.
We're in an industry thatreally focuses on channel
partners Time at Palo Altoreally understanding the
security landscape and now intothe visibility space, right.
(02:44):
So it's certainly a fascinatingthing.
It's quite a simple fundamentalabout what it is around digital
visibility, but how key it isto resolving and actually
maintaining and looking aftercustomers' environments.
So off that, healthcareorganizations face a lot of
unique challenges, particularlyif we think about the explosion
(03:05):
of IoT devices and IoT security.
We have a lot of criticalinstrumentation on the
healthcare floor.
Can you talk a bit about whatsome of the key risks associated
with healthcare are,holistically from a tech lens,
and then maybe a bit about theOT lens on that as well?
Jason Payne (03:23):
Yeah, so healthcare , what we've seen on healthcare
as opposed to more traditionalOT and the verticals that are on
our OT side is that inhealthcare, healthcare delivery
organizations have typically gota pretty flat network.
So there's pretty much all insundry that's connected to the
network and most of the time,these organizations don't really
(03:45):
know what's on the network.
So you've got patient monitorsor your equipment, medical
devices which are associatedwith patient care, as well as
corporate systems as well, andthey all kind of reside on the
same network, as well as thoseOT devices and IoT devices for
the buildings of hospitals aswell.
For the buildings of hospitalsas well.
(04:05):
Yes, and it's important to knowthat security is only as good as
being able to stop the weakestlink.
So the weakest link could be asmall IoT or sensor or device
which then gives an adversarythe opportunity to traverse and
potentially shut a hospital downand demand a huge ransom.
So the challenges we're seeingis that, with healthcare then
(04:27):
being brought into security ofcritical infrastructure in the
SOCI Act, those hospitalsparticularly have to have
something in place to know whatthose critical assets are and
how they can report on thosecritical assets and what they're
going to do in the event thatthere was a breach and how
they're going to remediate that.
So the challenges thehealthcare have got is that they
(04:48):
want to have the hospitaloperating 24 hours a day looking
after patients they don'treally want to be worrying about
.
Okay, we're going to have acyber breach on a patient
monitoring device, but it canhappen.
So that's a big challenge forthem and even asset inventory
and lifecycle management andspending as well against those
(05:09):
devices which reside within ahospital.
Michael van Rooyen (05:11):
Yeah, yeah, and off that, I think about the
challenges you've just spokenabout around.
You know those devices andwe'll go a little bit deeper
into those in a sec, but do youmind just then taking a second
for people listening andexplaining what Claroty does,
what its mission is.
Jason Payne (05:28):
you know what problem it solves in relation to
this visibility and howcritical it is to have this lens
on things.
Yeah, so when you look athealthcare and medical devices,
they're very, very different toIT devices.
Every manufacturer medicaldevice manufacturer will build
their technology with their ownproprietary protocols.
So it's important to understandwell how do they traverse on
the networks within thesehospitals.
So Clarity solves the problemby giving the visibility into
(05:53):
those devices, by understandingthe protocols that the items,
the assets or the devices arecommunicating.
And then, once we've profiledthem, what Clarity does is it
then enables the organization tohave a risk profile associated
to it.
So what do these devices looklike?
What risks do they pose to thehospital?
(06:15):
What plans can be put in placeto mitigate that risk and reduce
the risk?
So we look at things likevulnerabilities what
vulnerabilities associated tothese medical devices and can
they be patched?
There's a lot of devices whichcan't be patched, and there's
TGA and FDA and there's a lot of.
You can't put certain thingslike EDR onto endpoint agents
(06:37):
onto medical devices.
So what do you do in thoseinstances?
So we build the foundations tobe able to create the security,
not just the security profilesfrom an enforcement point of
view, but understandingworkflows around vulnerability
and risk.
Looking at communication flows,so anomaly and threat detection.
So are these devicescommunicating to malicious IPs?
(06:59):
Is a medical device got accessto the internet?
Again, it's all risk?
Yes, but also the networksegmentation device.
Got access to the internet?
Against all risk?
Yes, but also their networksegmentation.
So a big part of what we do andone of the reasons why we're
here today at Cisco live is thesegmentation piece is around.
How do you build segmentationinto a hospital network without
knowing what's on there to startwith?
And we create the smarts aroundthat and we use clinical
(07:22):
context from all of ourthousands of customers globally
to understand what those devicesshould look like and how they
should be profiled and segmentedfrom a security point of view
as well.
Michael van Rooyen (07:33):
Yeah, fair enough too, and segmentation is
just so fundamental from anarchitecture point of view,
right?
So what you're really saying isbeing able to identify not only
the devices that are on thenetwork, because you know, you
don't know.
What you don't know is reallythe premise there.
The second part is how are theyoperating?
What, the, what are theirvulnerabilities?
What do we need to report on?
And you certainly did touch on agreat topic around not being
(07:56):
able to just patch these devicesbecause of the way they're
built and the way themanufacturer runs them and, as
you said, regulators are veryspecific around not just being
able to manipulate them in anyway.
Yeah, but it's really core andfundamental, right.
It's something that people needto consider, just to make sure
they're aware of what's on thenetwork what, what, the, what
the risks are for that.
And then segmentation is partof good design, right.
So you really are able to thenhelp them with their journey,
(08:18):
right.
Do an assessment up front andthen help customers with a
roadmap journey on how to end upwith a much better, secure and
visible environment.
Jason Payne (08:26):
Yeah, exactly that.
So we always look at risk andmaturity.
So when we take our customerson this journey exactly what
you've said it all starts withthe visibility.
Once a customer's at thevisibility stage, we look at the
maturity as the maturityincreases, the risk decreases.
We look at the maturity as thematurity increases, the risk
decreases and that flows throughand then going from that device
(08:48):
profiling to mitigating onvulnerabilities, putting
policies in place so that we cancompensate for anything that's
potentially at risk, but thenobviously doing the alerting.
So RO is an organization thathas SOC service.
(09:08):
That then getting that customerto mature and move to that
point where we can provide thosealerting to a SOC to be able to
then mitigate and remediatewhen there's potential threats
that's happening on the networkas well.
So, that takes all the waythrough from low maturity high
risk all the way through to yeahhigh maturity and at a lower
risk.
Michael van Rooyen (09:27):
Right and look under Clarity Healthcare.
You know you obviously workwith a lot of healthcare
providers, you know, on a globalscale, so getting great
insights and intelligence intowhat's happening from a medical
point of view, you know.
Can you touch on?
You know the continuousexplosion of new devices because
people have got this thingcalled internet and cloud and we
(09:47):
just buy devices and, great, wecan get much more data out of
it, which is fantastic.
Right, it has a businessbenefit, but of course that
increases risk and off the backof that, you know, can you touch
on what you're seeing as kindof some of the most common you
know vulnerabilities or specificvulnerabilities you're seeing
in the medical field?
Jason Payne (10:04):
Yeah, vulnerabilities or specific
vulnerabilities you're seeing inthe medical field.
Yeah, so if we look at ourcustomer base, we look at our
thousands of customers globally.
We just obviously released areport showing that we've just
tipped over 20 million deviceswhich we're monitoring globally.
So we're currently monitoringthose over 20 million medical
devices and the benefits ofdoing that is we've got this
huge data lake of these medicaldevices.
(10:25):
We know what firmwares are on,we know which ones have got
exploitable, knownvulnerabilities.
So known exploitablevulnerabilities and really what
we're trying to do here isbringing all that information
together as a knowledge base andsharing.
So when you look at onehealthcare delivery organization
, they're probably going to havevery similar devices to other.
(10:48):
But when you talk about puttingin controls and patching and
things like that, why would youpatch one device just because
the manufacturer has brought outa update for it and typically
updates are usually brought outbecause there's a vulnerability.
But you want to know that thatis safe.
You don't want to just updateyour medical devices with a
(11:09):
known patch that may not bestable.
So again, we can bring a lot ofthose smarts from what we're
seeing from a global point ofview as well.
So that's one of the benefitsof what we see by having a
specific healthcare productthat's monitoring all those
devices.
Michael van Rooyen (11:25):
Yeah, that's fantastic.
I mean it's been such goodintelligence right and just
seeing.
I guess the other benefitsyou've got with such a global
footprint over those thousandsof customers and millions of
devices is you know, as net newdevices are popped into, these
new vendor joins the portfolio.
You know there's always medicalconferences with some new
device or widget that is able tohelp medical practitioners and
(11:47):
people on the floor do their jobnurses, et cetera.
But you know the ability to beable to quickly identify those
and then tell customers you knowwe've identified this problem
or when a security vulnerabilityis announced, at least you can
give them that intel insightswithout them being kind of blind
.
Right is so critical when weparticularly think about you,
think about hypotheticals aroundthreat actors shutting down
(12:08):
medical devices and peoplepassing away.
I mean that's plausiblereasoning, but something that
gives it that fantasticvisibility right.
Jason Payne (12:18):
Yeah, and we see all sorts A part of what we're
doing from the visibility pointof view.
You can see medical devicessitting on guest networks and
we're not seeing hundreds andhundreds of them, but they're
happening.
Pretty much.
I would say most healthcaredelivery organizations are going
to have some misconfigurationwhere they may have a patient
device or a medical device whichmay be on the guest network.
(12:38):
So, obviously, that's a huge redflag in terms of what we've
seen Doctors updating theirTeslas from the car park, the
internet connectivity again,we've seen those that are coming
up on there as well.
So these are all things that dopose risk, because the
adversaries again are lookingfor the weakest point, and that
could be the weakest point thatsuddenly there's access to
(12:59):
something and ultimately the badguys they want to shut the
hospital down.
Of course, and ultimately thebad guys, they want to shut the
hospital down because they candemand a huge ransom, because
patient safety is paramount.
So what do the hospitals do?
It's like we've got control ofthe hospital and it could be
through something very similar,it could even be like a vending
machine.
And then what are the hospitalsgoing to do?
(13:20):
Are they just going to sittight and go?
Michael van Rooyen (13:23):
we're not going to pay the ransom and you
can't take people into operatingtheatres, so it's paramount
that they know what's there andwhat the risk is for them to be
able to do that and it'sinteresting you touch on that
Gardner said last year, I think,at one of the symposiums, one
of the key messages isrealistically, these devices are
critical infrastructure, right,no matter how you look at them,
whilst it's in the medicalfield, they provide a critical
(13:43):
service.
And they were saying that really, the threat actors are on a
mission to literally causephysical harm to really prove
their point right.
And it just continues.
And you touched on the weakestlink, right.
So not being able to know whatyour weakest link is, how can
you remediate?
And that's where Medicaid sorryClarity Healthcare comes in.
If I was then to think aboutthe threat actors, is ransomware
(14:04):
attacks, you know, still themost common thing you're seeing
in healthcare.
There's been a number ofincidents globally of those.
Do you think that, because ofthe sensitivity of the PII
information and those devices,that's still a target on how to
get customers to pay ransom isthrough ransomware?
Jason Payne (14:20):
Yeah, I mean, look, you've touched on two points.
There is ransomware iscertainly going to be the main
motive, because they can chargea huge ransom.
You can't just have a hospitalshut down.
Michael van Rooyen (14:32):
It just can't happen.
Jason Payne (14:33):
So ransomware attacks we're seeing more of
them but then we are also seeingpatient data and information
that's been stolen, and that'snot necessarily through the
hospital network.
So we know we know the bigbreaches, what happened and
medibank breach and so and soforth that there's there's a lot
of patient information that'sbeen stolen which is not
necessarily linked to thepatient care in the sense that,
(14:56):
okay, still, the patientinformation, yeah, you can do a
lot of things with that.
But shutting a hospital down,stopping people going into
surgery because you've takencontrol of the network, is
something completely separate,which is much graver
consequences in terms ofpeople's safety and their lives.
So, um, they're both really badthings to happen is that you
(15:18):
get your your personalinformation stolen, but it's not
necessarily going to kill you,yes, whereas if you're stuck in
an elevator that's stoppedbecause the hospital can't get
you to operate in theatre, thenyou've got a big problem?
Michael van Rooyen (15:30):
Yeah, of course, absolutely.
And pivoting away a little bitaway from the healthcare the
sector, I just wanted to touchon a little bit around your
career in channel partnerships.
Can you give advice or touch onhow you build a real strong
channel relationship,particularly here in the ANZ
region, knowing you've been inother areas?
Jason Payne (15:49):
Yeah, my background being channel, I understand the
importance of channel partners.
What they bring the channelecosystem, is what enables a
vendor to scale Services that achannel partner offers and their
reach into the markets which wewant to get into, which we
can't do on our own, isabsolutely crucial to us.
So working with our channelpartners and having them do what
Auro are doing is buildingmanaged services around a
(16:11):
solution and a business outcomeis crucial to success is having
that services element.
That's important to the partneras well and from my background,
I understand it from all sides.
So I understand thedistribution side, I understand
the partner landscape, Iunderstand the vendor landscape,
so I understand what'simportant to each person and I
think we've been very successfulin the last 12 months in this
(16:34):
healthcare sector yes and whatwe've done with our partners is
because personally, I know howhow operate and what they
require from the vendor to besuccessful, and I think that's
extremely important.
Michael van Rooyen (16:49):
And off that note, what are the kind of
qualities knowing you've been on?
Jason Payne (16:52):
the other side, what are?
Michael van Rooyen (16:53):
kind of the qualities you're looking for in
the ideal partner.
Jason Payne (16:55):
Yeah, so a partner who's going to invest in
technology and that's intraining partner who's going to
invest in technology and that'sin training, so ensuring that
they've got adequate skill setsto be able to support the
solution, not only in apre-sales but a post-sales
function as well, because that'sgoing to be where the partner.
We want to make sure thepartners are making money,
they're not just selling aproduct and walking away to the
next deal.
(17:16):
We want the partner to be apart of the life cycle journey
with the customer.
So a partner needs to invest inthe training so their pre-sales
people understand the product,they can scope it and then they
can present it and sell it.
Sales people need to be able toarticulate it again.
So it's important for thepartner sales people to
understand and they can deliverthe same message as we do as the
(17:39):
vendor.
And then the postales is reallywhere the customer is going to
get value, because we want toensure that these customers
remain with us for a long periodof time, and they're only going
to remain with us for a longperiod of time is if they're
happy.
And our partners can providethat in terms of that post-sales
customer success part beingwith them on the journey,
ensuring that they're gettingvalue out of it, ensure that's
(18:01):
mapping back to maybe a managedservice that they're providing
and strengthening thatrelationship.
So we want our partners tostrengthen their relationship
with the customer for ourengagement as well.
Michael van Rooyen (18:10):
Yeah, that's fantastic, and can you just
talk a bit about in your salesdirector kind of role?
How do you approach engaginghealthcare providers to really
understand the unique challengesin dementia?
I know it's your lifeblood, soto speak, pardon the pun.
Maybe you could talk a littlebit about that.
It's really interesting fromhow people engage particularly
with healthcare.
And then if I think about howregulated that industry is, what
(18:32):
are some of the methodologiesof your approach to do that?
Jason Payne (18:35):
Yeah, so we're not a huge team, especially our
healthcare team.
Michael van Rooyen (18:38):
We're not huge.
Jason Payne (18:39):
And if you look at the private and public sector,
yes, across australia, yes,there's a lot to go after.
Yeah, public sector has all itsnuances, the politics involved
around local health districtsand how it's, how they, how the
public sector, split up, and ourpartners obviously have a lot
of expertise to help with that.
So typically, what we're seeingis is that when we're reaching
(19:00):
into these markets, especiallythe public sector, we ideally
want to be at the top.
So we want to be working withthe departments of health, but
it's a very long journey for adepartment of health to choose
on not only a partner but also atechnology.
So that means, then, that we'vegot all the other tiers are
(19:20):
below.
So when we're looking atintroducing our technology to
healthcare delivery organization, even be the public or the
private sector, we need tofoster those relationships, and
typically they can be builtbased around, possibly, some
projects that the partner isalready providing to that
healthcare delivery organization.
(19:40):
So it may be that you'relooking after the network, it
may be that you're looking aftera managed service for security
of some kind, and then we canlook to pivot off that to say,
well, what are you actuallydoing around monitoring of
healthcare devices and what?
Michael van Rooyen (19:53):
are you?
Jason Payne (19:53):
doing so.
From our side, we areapproaching those customers and
we're looking at kind of ourfour key use cases around
visibility, vulnerability, riskmanagement, anomaly and threat
detection, network security andclinical device efficiency,
which is kind of how our productworks.
But we've got variousstakeholders within those
(20:14):
customers and typically thestakeholders are going to be
your network team, your securityteam and your biomedical team.
So we need to bring those teamstogether.
So working with a partner, apartner such as Oro will have a
relationship with one of thoseteams, if not more, right.
So that's how we want to worktogether.
There's no point us trying togo in on our own and trying to
(20:37):
get across all the state andterritory health sectors and
across all the individual healthservices and health districts.
We can't scale.
We need to go in with thatcommon approach to be able to
have those meaningfulconversations with the security
teams and the network and biomedteams, yeah, because I mean
they're really blending right.
Michael van Rooyen (20:58):
Technology is core and fundamental to
everything everyone's deliveringtoday.
So being able to engage withthe business and also work
through the tech stack, you know, even we see the convergence of
the network and security teamsworking together.
Then we add you know, this kindof medical field, we add IoT.
It's kind of this realconvergence we've been talking
about for a very long time isfinally here, talking about
scaling out and other components.
(21:20):
You know, if you think aboutthe, we have to talk about AI,
of course, but if I think aboutit from a medical view or you
know, it's really seeing AI andmachine learning reshaping the
industry and security solutions.
Can you talk a little bit aboutwhat you guys are doing in that
space?
You know how you're leveragingthat, considering the data set
you've got.
Jason Payne (21:37):
Yeah, so a lot of what we're doing with the AI
part and machine learning partis around our data lake and what
we're collecting and what we'reknowing about medical devices
and what we're seeing.
And when I mentioned those 20million devices, we have to look
at things like vulnerabilities.
So there's knownvulnerabilities, there's
thousands and thousands of them,but what does that actually
(21:57):
mean?
You could go to a customer andgo well, we found 20,000
vulnerabilities across 000vulnerabilities across your
environment.
Okay, well, what am I going todo about it?
yeah you want to know knownexploited vulnerabilities,
because that's the bit that youwant to dissect and go.
Well, known exploitedvulnerabilities are going to be
more important.
But what does that mean to yourorganization?
Yes, based on what we're seeingthrough similar organizations,
(22:19):
they've got similar technologywho have potentially had that
vulnerability exploited.
So we're using a lot of ai towork for our dollar lake of all
of the devices that we're seeingthe firmware versions, but
breaking it down to moremeaningful, actionable items,
which is don't go and try andpatch 20,000 devices because it
(22:41):
doesn't really matter and you'llnever, ever be able to keep up
with the CVEs and the patchesand everything else.
But let's look at the knownexploited vulnerabilities,
specifically those that areassociated to a subset of
technology which is in yourenvironment, that's where a lot
of our AI is coming in, so it'spinpointed for that particular
(23:02):
customer.
So we can look at a customer Aand say we know what you've got
and we know where you shouldfocus your attention, rather
than having this minefield ofdevices with risks associated to
them.
And, yeah, trying to make itmore meaningful, to give them
the tools to be able to quicklyremediate what they have to.
Michael van Rooyen (23:26):
Yeah, yeah, it's fascinating.
And if I think around then youknow you talked about SOCI
before.
You mentioned SOCIAC, which isvery, very critical for
Australia.
The government's really focusingon how we secure critical
infrastructure and medicalobviously is one of the key
pillars to that.
Can you talk a little bit aboutwhat you're seeing customers do
from the medical field aroundthe supply chain of that,
(23:46):
because everyone thinks aboutSockie as its own entity or for
that entity, but we're nowseeing a lot of discussion
around the supply chain being.
Part of that Is that some ofthe conversations you're having
with customers as well about howthat blast radius is extended.
Jason Payne (23:59):
Yeah, so a piece of work that I've looked at
personally.
So you may or may not know, andyou might be amazed to know,
that out of all the hospitalspublic and private sector
hospitals across australia, only91 hospitals are designated
sake hospitals all right.
So the way the governmentdefines which hospital has to
(24:22):
comply with SOCI is based ondoes it have a critical care
facility or uni?
Michael van Rooyen (24:27):
Yes.
Jason Payne (24:27):
So I look at this and go well, every hospital
that's got patients, regardlessif it's got a critical care unit
, intensive care unit, theyframe me.
So out of the hundreds ofhospitals we've got in Australia
, only 91 of those have to becompliant for.
Michael van Rooyen (24:47):
SOC-E Wow.
Jason Payne (24:48):
And it all goes back to politics again, because
if you say all the hospitalshave to be compliant, they're
going to need money to be ableto do it.
So where's that money going tocome from?
The government's going to haveto find it to actually pay for
it.
So what they've said is okay,okay, we're going to take a
subset.
So those 91 designated sakehospitals then have to have
(25:08):
those requirements in placewhich we can help with and we
can.
We can do that work with ourpartners as well.
Which is how do you know whatthose critical assets are?
How do you, how do you map thatto sake in terms of that supply
chain of?
Okay, what does that supplychain look like?
Or what are those devices thatmay have to be reported on for
SOCI to Home Affairs?
(25:29):
So we help with that and we dothe same with Essential A.
So all these hospitals have tobe.
There was new requirementscoming out with Essential A that
known vulnerabilities have tobe remediated within a certain
time frame as part of Level 1,Essential 8.
But again, you need to know whatyou've got to be able to
remediate those vulnerabilities,and that's how we can help our
(25:51):
customers as well with thingslike that, yeah.
Michael van Rooyen (25:55):
Looking forward to the future, what are
the trends and developmentsyou're seeing on the horizon for
the healthcare?
Iot, iot, security, securityand just the cybersecurity
aspects as a whole?
Jason Payne (26:06):
Yeah.
So a lot of the CISOs we'vespoken to in healthcare is they
want a standardized framework,especially for medical device
manufacturers, because medicaldevice manufacturers.
They've all got proprietaryprotocols.
They're all using differentencryption methods.
There's not a standardizedframework, which has happened in
OT.
(26:26):
So we need to get thehealthcare organizations
together to lobby towards astandard framework, because
we're seeing things like, okay,tls encryption on certain
medical devices, and again onemanufacturer will use one way of
encrypting the traffic andanother one will use something
(26:48):
else, and we can see certainthings in one header we can't
see in another header, andyou've got TLS for wireless
devices.
There's all these differentmethods that, from a security
point of view, everyone's tryingto be at the forefront to
ensure that they're mitigatingthe problems.
But it's not standard acrossthe industry.
They're all doing their ownthings.
(27:09):
So, I think what we need to seeis we need to see
standardization across medicaldevice manufacturers.
Michael van Rooyen (27:15):
Of that, is there some innovations that
you're allowed to talk toBecause I'm sure there's always
some skunk works going on withwhat you guys are doing but some
innovations and capabilitiesthat your team's bringing to the
healthcare sector or othersectors?
Jason Payne (27:27):
Yeah, so we've got various facets of how we develop
our products.
We've got Team 82, which is athreat team, so our threat team
are constantly looking at waysto innovate based on what
they're seeing from a threatpoint of view.
So they're actively looking atways devices can be exploited.
We also obviously take a lot offeedback from our customers as
well.
So one of the things whichwe're proud of at Claroty is
(27:49):
part of our ideas portal that wehave, where our customers can
submit what they want out of ourplatform and what they want us
to put our development andresearch into.
So, again, we're looking atthat as well.
We're actively talking tomedical device manufacturers to
get an insight into what they'redoing.
So outside, outside of nothaving a common framework or
standards with thesemanufacturers, we're also
(28:11):
looking at ways that we canintegrate better with them,
because what we want to makesure is that we're giving
customers the best visibilityinto those devices and what's
happening on the network.
So a lot of what Clary does aswell is that we're doing a lot
of research and development,working with medical device
manufacturers to pullintegrations from them as well,
so enriching information that'scoming back from these
(28:35):
manufacturers whilst theydevelop their own kind of
security measures as well.
So there's a lot of stuff we'redoing there in the background
to ensure and we need to do thatbecause we need to stay
relevant.
So of course, that's a lot thatwe do in terms of strengthening
and broadening out and alsothrough our alliances as well.
So we've got we've got a good,good strategic alliances as well
(28:56):
yeah, fantastic, yeah, that,that, that's, that's, uh, you
know.
Michael van Rooyen (28:58):
Again back to that in a starting point,
right, if you can do that.
Very interesting, as we getcloser to the end of our
discussion today, which has beenvery insightful, is, um, you
know what?
What advice would you givehealthcare security leaders or
operators, or in the tech spacethere who are looking after
these facilities around some ofthe challenges that they're
facing in securing these devices, particularly as we see?
(29:21):
The continuous explosion ofdigital transformation,
explosion of devices, iot, etcetera.
Yeah of digital transformation,explosion of devices, iot, et
cetera.
Yeah, yeah.
Jason Payne (29:27):
As more and more devices are coming on the
network, actually what they doand how they communicate and the
characteristics of thosedevices, and it's becoming a
bigger and bigger problem, asyou mentioned, as more and more
things get connected.
So from a security point ofview, you need to understand
what your risk profile is, andthat's not.
(29:48):
I've got all my medical devicesin a CMDB or in a database that
says, well, okay, I know whatthose are, okay, that's fine,
but a database is not going totell you what the risks are
associated to them.
So for healthcare deliveryorganizations, they all need to
have a baseline understanding ofwhat's communicating on the
network and, as I mentionedbefore, even if they're in a low
(30:10):
maturity phase, they need toknow what that risk is, because
without it, how can they reportthose ones that are psychic?
How can they report?
They can't if they don't knowwhat they've got.
So my advice is to healthcaredelivery organizations and
hospitals understand where thatprogram of work fits in in the
broadest scheme of things.
(30:30):
So they're all allocatingbudget towards security and what
that looks like and securingpatient records.
But you have to go broader thanthat as well, and and sometimes
it can be an area which, uh,it's a nice to have, yes, rather
a must have.
Yes, and we know the must haves.
Everyone's got firewalls andcorporate security for the
(30:52):
network and everything else.
But is it a nice to have?
It can't be seen as a nice tohave.
Michael van Rooyen (30:57):
A hundred percent.
Jason Payne (30:58):
They have to have this because that is where the
bad guys are going to come in,of course.
So, even if they want to startat a very, very small point,
which is just visibility, soeven if they want to start at a
very, very small point, which isjust visibility, and then
understand how that's going tobuild into their broader cyber
strategy, build something intothat strategy that takes into
account visibility of yournon-managed devices and I'm
(31:18):
talking about medical devices.
Yeah, of course, look that'sfantastic advice.
Michael van Rooyen (31:22):
One of the last questions I'd like to ask
participants of the podcast isto tell me about the most
significant technology change orshift you've been involved with
or seen during your time in theindustry, and that doesn't have
to be particularly aroundmedical or channel, or anything
that you've been involved withbefore Could be, you know,
outside of your domain or inyour domain.
Jason Payne (31:45):
Like what's the most significant thing you've
seen, impact us or you've beeninvolved with?
I think, as of today and evenseeing what we're seeing around,
this conference is AI.
Michael van Rooyen (31:52):
Yes.
Jason Payne (31:55):
It kind of blows your mind, yes, what we're
seeing.
And you look back in the futureand I'm an older person in this
industry now and you look howtechnology has moved along.
I mean, everyone's talkingabout AI and artificial
intelligence, but it is kind ofreal now and if you look you
mentioned chat, GPT and it'samazing how technology's moved
(32:20):
from now.
We've got all this AI and allthis information and all this
data and you're seeing theserobots that Elon Musk is making
and other companies are makingand it is scary and you think
that everyone's talking about.
In the future, you have a robotat home doing things for you.
Michael van Rooyen (32:36):
The Jetsons right.
Yeah, that's right.
Jason Payne (32:39):
And you aren't starting to see that happening.
So for me how it has come about.
And I remember in one of theoldest search engines before
Google there was a search engineprior to Google, around the
same time, where you were typingsomething, you'd ask a question
.
Michael van Rooyen (32:57):
Right.
Jason Payne (32:57):
But you never really had the smarts to really
answer the question properly asopposed to what Google can do
now and what AI can do.
It just blows my mind a littlebit where it's come from.
Oh look, it is amazing.
Michael van Rooyen (33:07):
mind a little bit where it's come from.
It is amazing, right.
Jason Payne (33:09):
Einstein.
Was it Einstein or?
Michael van Rooyen (33:10):
which one?
It was yeah, yeah, yeah.
But I mean their vision waseffectively what we're seeing
now with AI.
Right, I mean asking that andunderstanding context and as we
build out, I mean it isphenomenal.
And then I think about you knowthe data behind that, the
networks to support that?
Yeah, you know.
Know the, the data behind that,the networks to support that?
Yeah, you know industry?
Uh, one of the reasons in ourindustry and love our industries
it just continues to change,right, it evolves, yeah, all the
(33:31):
time.
I think we've all been verybeneficial in, in enjoying that
journey.
Yeah, it always surprises mewhen we think we're kind of
capping out on where we thinkshould be it.
Just something else comes leftfield, right.
So yeah and, look, I appreciatethe time today having having a
chat to me.
It was an excellentconversation, you you know,
regarding, you know really, thevisibility and all things in
that, and particularly medicalfor those who hadn't really
(33:52):
heard about the space.
So again, jason, reallyappreciate the time.
Yeah, pleasure.
It's important to know that security is only as
good as being able to stop theweakest link.
So the weakest link could be asmall IoT or sensor or device
which then gives an adversarythe opportunity to traverse and
potentially shut a hospital downand demand a huge ransom.
Those hospitals particularlyhave to have something in place
(00:22):
to know what those criticalassets are and how they can
report on those critical assetsare, and how they can report on
those critical assets and whatthey're going to do in the event
that there was a breach and howthey're going to remediate that
.
Michael van Rooyen (00:32):
Today I have the pleasure in having a chat
to Jason Payne, who's the salesdirector of ANZ at Claroty
Healthcare.
We're going to be talking allthings around digital visibility
healthcare sector and theunique challenges that faces
that component of the industry.
Jason, welcome to the podcast.
Thank you very much Thanks forinviting me in.
Yeah, I appreciate you coming inand we're catching up fairly
(00:52):
late at Cisco Live and I reallyappreciate the time Before we
start.
Do you mind just spending amoment on your career and your
journey around network securityvisibility and what led you to
your current role as the salesdirector of ANZ for Claroty
Healthcare?
Jason Payne (01:11):
Yeah, so my background as you can probably
tell from my accent, I'm notfrom Australia, so I came to
Australia in 2011.
So I've been here almost 14years and my background was
predominantly channel, so I'vegot a very, very good
understanding of distributionand channel partners.
Right Came to Australia, movedinto distribution to start with
so I could get an understandingof the market, who the partners
(01:32):
were, what they were doing, andthen progressed, obviously into
the vendor vendor land, with myfirst vendor gig working for
Palo Alto, which was there fornearly four years, and after
there moved across to SplunkAgain, national partner manager
looking after a couple of bigpartners there, and then was
presented with an opportunity tojoin Claroty.
(01:53):
So I thought, shall I comeacross to a pre-IPO vendor and
see where that takes me?
So that's brought me here today.
So I've been with Claroty nowfor four years.
I started in their channel toalliances role for the last 12
months.
I've now moved into the salesdirector role for healthcare, so
responsible for thego-to-market, the plan, the
(02:14):
strategy around our healthcareoffering and our healthcare
platform, which some peopleformerly know as Medigate, which
is now Xdome for healthcare.
Michael van Rooyen (02:24):
And if I think about your broad
background there not onlydistribution, which is quite
interesting.
I had a guest recently talkabout that.
It's a unique space, but you'vereally been playing the channel
, which is great, right.
We're in an industry thatreally focuses on channel
partners Time at Palo Altoreally understanding the
security landscape and now intothe visibility space, right.
(02:44):
So it's certainly a fascinatingthing.
It's quite a simple fundamentalabout what it is around digital
visibility, but how key it isto resolving and actually
maintaining and looking aftercustomers' environments.
So off that, healthcareorganizations face a lot of
unique challenges, particularlyif we think about the explosion
(03:05):
of IoT devices and IoT security.
We have a lot of criticalinstrumentation on the
healthcare floor.
Can you talk a bit about whatsome of the key risks associated
with healthcare are,holistically from a tech lens,
and then maybe a bit about theOT lens on that as well?
Jason Payne (03:23):
Yeah, so healthcare , what we've seen on healthcare
as opposed to more traditionalOT and the verticals that are on
our OT side is that inhealthcare, healthcare delivery
organizations have typically gota pretty flat network.
So there's pretty much all insundry that's connected to the
network and most of the time,these organizations don't really
(03:45):
know what's on the network.
So you've got patient monitorsor your equipment, medical
devices which are associatedwith patient care, as well as
corporate systems as well, andthey all kind of reside on the
same network, as well as thoseOT devices and IoT devices for
the buildings of hospitals aswell.
For the buildings of hospitalsas well.
(04:05):
Yes, and it's important to knowthat security is only as good as
being able to stop the weakestlink.
So the weakest link could be asmall IoT or sensor or device
which then gives an adversarythe opportunity to traverse and
potentially shut a hospital downand demand a huge ransom.
So the challenges we're seeingis that, with healthcare then
(04:27):
being brought into security ofcritical infrastructure in the
SOCI Act, those hospitalsparticularly have to have
something in place to know whatthose critical assets are and
how they can report on thosecritical assets and what they're
going to do in the event thatthere was a breach and how
they're going to remediate that.
So the challenges thehealthcare have got is that they
(04:48):
want to have the hospitaloperating 24 hours a day looking
after patients they don'treally want to be worrying about
.
Okay, we're going to have acyber breach on a patient
monitoring device, but it canhappen.
So that's a big challenge forthem and even asset inventory
and lifecycle management andspending as well against those
(05:09):
devices which reside within ahospital.
Michael van Rooyen (05:11):
Yeah, yeah, and off that, I think about the
challenges you've just spokenabout around.
You know those devices andwe'll go a little bit deeper
into those in a sec, but do youmind just then taking a second
for people listening andexplaining what Claroty does,
what its mission is.
Jason Payne (05:28):
you know what problem it solves in relation to
this visibility and howcritical it is to have this lens
on things.
Yeah, so when you look athealthcare and medical devices,
they're very, very different toIT devices.
Every manufacturer medicaldevice manufacturer will build
their technology with their ownproprietary protocols.
So it's important to understandwell how do they traverse on
the networks within thesehospitals.
So Clarity solves the problemby giving the visibility into
(05:53):
those devices, by understandingthe protocols that the items,
the assets or the devices arecommunicating.
And then, once we've profiledthem, what Clarity does is it
then enables the organization tohave a risk profile associated
to it.
So what do these devices looklike?
What risks do they pose to thehospital?
(06:15):
What plans can be put in placeto mitigate that risk and reduce
the risk?
So we look at things likevulnerabilities what
vulnerabilities associated tothese medical devices and can
they be patched?
There's a lot of devices whichcan't be patched, and there's
TGA and FDA and there's a lot of.
You can't put certain thingslike EDR onto endpoint agents
(06:37):
onto medical devices.
So what do you do in thoseinstances?
So we build the foundations tobe able to create the security,
not just the security profilesfrom an enforcement point of
view, but understandingworkflows around vulnerability
and risk.
Looking at communication flows,so anomaly and threat detection.
So are these devicescommunicating to malicious IPs?
(06:59):
Is a medical device got accessto the internet?
Again, it's all risk?
Yes, but also the networksegmentation device.
Got access to the internet?
Against all risk?
Yes, but also their networksegmentation.
So a big part of what we do andone of the reasons why we're
here today at Cisco live is thesegmentation piece is around.
How do you build segmentationinto a hospital network without
knowing what's on there to startwith?
And we create the smarts aroundthat and we use clinical
(07:22):
context from all of ourthousands of customers globally
to understand what those devicesshould look like and how they
should be profiled and segmentedfrom a security point of view
as well.
Michael van Rooyen (07:33):
Yeah, fair enough too, and segmentation is
just so fundamental from anarchitecture point of view,
right?
So what you're really saying isbeing able to identify not only
the devices that are on thenetwork, because you know, you
don't know.
What you don't know is reallythe premise there.
The second part is how are theyoperating?
What, the, what are theirvulnerabilities?
What do we need to report on?
And you certainly did touch on agreat topic around not being
(07:56):
able to just patch these devicesbecause of the way they're
built and the way themanufacturer runs them and, as
you said, regulators are veryspecific around not just being
able to manipulate them in anyway.
Yeah, but it's really core andfundamental, right.
It's something that people needto consider, just to make sure
they're aware of what's on thenetwork what, what, the, what
the risks are for that.
And then segmentation is partof good design, right.
So you really are able to thenhelp them with their journey,
(08:18):
right.
Do an assessment up front andthen help customers with a
roadmap journey on how to end upwith a much better, secure and
visible environment.
Jason Payne (08:26):
Yeah, exactly that.
So we always look at risk andmaturity.
So when we take our customerson this journey exactly what
you've said it all starts withthe visibility.
Once a customer's at thevisibility stage, we look at the
maturity as the maturityincreases, the risk decreases.
We look at the maturity as thematurity increases, the risk
decreases and that flows throughand then going from that device
(08:48):
profiling to mitigating onvulnerabilities, putting
policies in place so that we cancompensate for anything that's
potentially at risk, but thenobviously doing the alerting.
So RO is an organization thathas SOC service.
(09:08):
That then getting that customerto mature and move to that
point where we can provide thosealerting to a SOC to be able to
then mitigate and remediatewhen there's potential threats
that's happening on the networkas well.
So, that takes all the waythrough from low maturity high
risk all the way through to yeahhigh maturity and at a lower
risk.
Michael van Rooyen (09:27):
Right and look under Clarity Healthcare.
You know you obviously workwith a lot of healthcare
providers, you know, on a globalscale, so getting great
insights and intelligence intowhat's happening from a medical
point of view, you know.
Can you touch on?
You know the continuousexplosion of new devices because
people have got this thingcalled internet and cloud and we
(09:47):
just buy devices and, great, wecan get much more data out of
it, which is fantastic.
Right, it has a businessbenefit, but of course that
increases risk and off the backof that, you know, can you touch
on what you're seeing as kindof some of the most common you
know vulnerabilities or specificvulnerabilities you're seeing
in the medical field?
Jason Payne (10:04):
Yeah, vulnerabilities or specific
vulnerabilities you're seeing inthe medical field.
Yeah, so if we look at ourcustomer base, we look at our
thousands of customers globally.
We just obviously released areport showing that we've just
tipped over 20 million deviceswhich we're monitoring globally.
So we're currently monitoringthose over 20 million medical
devices and the benefits ofdoing that is we've got this
huge data lake of these medicaldevices.
(10:25):
We know what firmwares are on,we know which ones have got
exploitable, knownvulnerabilities.
So known exploitablevulnerabilities and really what
we're trying to do here isbringing all that information
together as a knowledge base andsharing.
So when you look at onehealthcare delivery organization
, they're probably going to havevery similar devices to other.
(10:48):
But when you talk about puttingin controls and patching and
things like that, why would youpatch one device just because
the manufacturer has brought outa update for it and typically
updates are usually brought outbecause there's a vulnerability.
But you want to know that thatis safe.
You don't want to just updateyour medical devices with a
(11:09):
known patch that may not bestable.
So again, we can bring a lot ofthose smarts from what we're
seeing from a global point ofview as well.
So that's one of the benefitsof what we see by having a
specific healthcare productthat's monitoring all those
devices.
Michael van Rooyen (11:25):
Yeah, that's fantastic.
I mean it's been such goodintelligence right and just
seeing.
I guess the other benefitsyou've got with such a global
footprint over those thousandsof customers and millions of
devices is you know, as net newdevices are popped into, these
new vendor joins the portfolio.
You know there's always medicalconferences with some new
device or widget that is able tohelp medical practitioners and
(11:47):
people on the floor do their jobnurses, et cetera.
But you know the ability to beable to quickly identify those
and then tell customers you knowwe've identified this problem
or when a security vulnerabilityis announced, at least you can
give them that intel insightswithout them being kind of blind
.
Right is so critical when weparticularly think about you,
think about hypotheticals aroundthreat actors shutting down
(12:08):
medical devices and peoplepassing away.
I mean that's plausiblereasoning, but something that
gives it that fantasticvisibility right.
Jason Payne (12:18):
Yeah, and we see all sorts A part of what we're
doing from the visibility pointof view.
You can see medical devicessitting on guest networks and
we're not seeing hundreds andhundreds of them, but they're
happening.
Pretty much.
I would say most healthcaredelivery organizations are going
to have some misconfigurationwhere they may have a patient
device or a medical device whichmay be on the guest network.
(12:38):
So, obviously, that's a huge redflag in terms of what we've
seen Doctors updating theirTeslas from the car park, the
internet connectivity again,we've seen those that are coming
up on there as well.
So these are all things that dopose risk, because the
adversaries again are lookingfor the weakest point, and that
could be the weakest point thatsuddenly there's access to
(12:59):
something and ultimately the badguys they want to shut the
hospital down.
Of course, and ultimately thebad guys, they want to shut the
hospital down because they candemand a huge ransom, because
patient safety is paramount.
So what do the hospitals do?
It's like we've got control ofthe hospital and it could be
through something very similar,it could even be like a vending
machine.
And then what are the hospitalsgoing to do?
(13:20):
Are they just going to sittight and go?
Michael van Rooyen (13:23):
we're not going to pay the ransom and you
can't take people into operatingtheatres, so it's paramount
that they know what's there andwhat the risk is for them to be
able to do that and it'sinteresting you touch on that
Gardner said last year, I think,at one of the symposiums, one
of the key messages isrealistically, these devices are
critical infrastructure, right,no matter how you look at them,
whilst it's in the medicalfield, they provide a critical
(13:43):
service.
And they were saying that really, the threat actors are on a
mission to literally causephysical harm to really prove
their point right.
And it just continues.
And you touched on the weakestlink, right.
So not being able to know whatyour weakest link is, how can
you remediate?
And that's where Medicaid sorryClarity Healthcare comes in.
If I was then to think aboutthe threat actors, is ransomware
(14:04):
attacks, you know, still themost common thing you're seeing
in healthcare.
There's been a number ofincidents globally of those.
Do you think that, because ofthe sensitivity of the PII
information and those devices,that's still a target on how to
get customers to pay ransom isthrough ransomware?
Jason Payne (14:20):
Yeah, I mean, look, you've touched on two points.
There is ransomware iscertainly going to be the main
motive, because they can chargea huge ransom.
You can't just have a hospitalshut down.
Michael van Rooyen (14:32):
It just can't happen.
Jason Payne (14:33):
So ransomware attacks we're seeing more of
them but then we are also seeingpatient data and information
that's been stolen, and that'snot necessarily through the
hospital network.
So we know we know the bigbreaches, what happened and
medibank breach and so and soforth that there's there's a lot
of patient information that'sbeen stolen which is not
necessarily linked to thepatient care in the sense that,
(14:56):
okay, still, the patientinformation, yeah, you can do a
lot of things with that.
But shutting a hospital down,stopping people going into
surgery because you've takencontrol of the network, is
something completely separate,which is much graver
consequences in terms ofpeople's safety and their lives.
So, um, they're both really badthings to happen is that you
(15:18):
get your your personalinformation stolen, but it's not
necessarily going to kill you,yes, whereas if you're stuck in
an elevator that's stoppedbecause the hospital can't get
you to operate in theatre, thenyou've got a big problem?
Michael van Rooyen (15:30):
Yeah, of course, absolutely.
And pivoting away a little bitaway from the healthcare the
sector, I just wanted to touchon a little bit around your
career in channel partnerships.
Can you give advice or touch onhow you build a real strong
channel relationship,particularly here in the ANZ
region, knowing you've been inother areas?
Jason Payne (15:49):
Yeah, my background being channel, I understand the
importance of channel partners.
What they bring the channelecosystem, is what enables a
vendor to scale Services that achannel partner offers and their
reach into the markets which wewant to get into, which we
can't do on our own, isabsolutely crucial to us.
So working with our channelpartners and having them do what
Auro are doing is buildingmanaged services around a
(16:11):
solution and a business outcomeis crucial to success is having
that services element.
That's important to the partneras well and from my background,
I understand it from all sides.
So I understand thedistribution side, I understand
the partner landscape, Iunderstand the vendor landscape,
so I understand what'simportant to each person and I
think we've been very successfulin the last 12 months in this
(16:34):
healthcare sector yes and whatwe've done with our partners is
because personally, I know howhow operate and what they
require from the vendor to besuccessful, and I think that's
extremely important.
Michael van Rooyen (16:49):
And off that note, what are the kind of
qualities knowing you've been on?
Jason Payne (16:52):
the other side, what are?
Michael van Rooyen (16:53):
kind of the qualities you're looking for in
the ideal partner.
Jason Payne (16:55):
Yeah, so a partner who's going to invest in
technology and that's intraining partner who's going to
invest in technology and that'sin training, so ensuring that
they've got adequate skill setsto be able to support the
solution, not only in apre-sales but a post-sales
function as well, because that'sgoing to be where the partner.
We want to make sure thepartners are making money,
they're not just selling aproduct and walking away to the
next deal.
(17:16):
We want the partner to be apart of the life cycle journey
with the customer.
So a partner needs to invest inthe training so their pre-sales
people understand the product,they can scope it and then they
can present it and sell it.
Sales people need to be able toarticulate it again.
So it's important for thepartner sales people to
understand and they can deliverthe same message as we do as the
(17:39):
vendor.
And then the postales is reallywhere the customer is going to
get value, because we want toensure that these customers
remain with us for a long periodof time, and they're only going
to remain with us for a longperiod of time is if they're
happy.
And our partners can providethat in terms of that post-sales
customer success part beingwith them on the journey,
ensuring that they're gettingvalue out of it, ensure that's
(18:01):
mapping back to maybe a managedservice that they're providing
and strengthening thatrelationship.
So we want our partners tostrengthen their relationship
with the customer for ourengagement as well.
Michael van Rooyen (18:10):
Yeah, that's fantastic, and can you just
talk a bit about in your salesdirector kind of role?
How do you approach engaginghealthcare providers to really
understand the unique challengesin dementia?
I know it's your lifeblood, soto speak, pardon the pun.
Maybe you could talk a littlebit about that.
It's really interesting fromhow people engage particularly
with healthcare.
And then if I think about howregulated that industry is, what
(18:32):
are some of the methodologiesof your approach to do that?
Jason Payne (18:35):
Yeah, so we're not a huge team, especially our
healthcare team.
Michael van Rooyen (18:38):
We're not huge.
Jason Payne (18:39):
And if you look at the private and public sector,
yes, across australia, yes,there's a lot to go after.
Yeah, public sector has all itsnuances, the politics involved
around local health districtsand how it's, how they, how the
public sector, split up, and ourpartners obviously have a lot
of expertise to help with that.
So typically, what we're seeingis is that when we're reaching
(19:00):
into these markets, especiallythe public sector, we ideally
want to be at the top.
So we want to be working withthe departments of health, but
it's a very long journey for adepartment of health to choose
on not only a partner but also atechnology.
So that means, then, that we'vegot all the other tiers are
(19:20):
below.
So when we're looking atintroducing our technology to
healthcare delivery organization, even be the public or the
private sector, we need tofoster those relationships, and
typically they can be builtbased around, possibly, some
projects that the partner isalready providing to that
healthcare delivery organization.
(19:40):
So it may be that you'relooking after the network, it
may be that you're looking aftera managed service for security
of some kind, and then we canlook to pivot off that to say,
well, what are you actuallydoing around monitoring of
healthcare devices and what?
Michael van Rooyen (19:53):
are you?
Jason Payne (19:53):
doing so.
From our side, we areapproaching those customers and
we're looking at kind of ourfour key use cases around
visibility, vulnerability, riskmanagement, anomaly and threat
detection, network security andclinical device efficiency,
which is kind of how our productworks.
But we've got variousstakeholders within those
(20:14):
customers and typically thestakeholders are going to be
your network team, your securityteam and your biomedical team.
So we need to bring those teamstogether.
So working with a partner, apartner such as Oro will have a
relationship with one of thoseteams, if not more, right.
So that's how we want to worktogether.
There's no point us trying togo in on our own and trying to
(20:37):
get across all the state andterritory health sectors and
across all the individual healthservices and health districts.
We can't scale.
We need to go in with thatcommon approach to be able to
have those meaningfulconversations with the security
teams and the network and biomedteams, yeah, because I mean
they're really blending right.
Michael van Rooyen (20:58):
Technology is core and fundamental to
everything everyone's deliveringtoday.
So being able to engage withthe business and also work
through the tech stack, you know, even we see the convergence of
the network and security teamsworking together.
Then we add you know, this kindof medical field, we add IoT.
It's kind of this realconvergence we've been talking
about for a very long time isfinally here, talking about
scaling out and other components.
(21:20):
You know, if you think aboutthe, we have to talk about AI,
of course, but if I think aboutit from a medical view or you
know, it's really seeing AI andmachine learning reshaping the
industry and security solutions.
Can you talk a little bit aboutwhat you guys are doing in that
space?
You know how you're leveragingthat, considering the data set
you've got.
Jason Payne (21:37):
Yeah, so a lot of what we're doing with the AI
part and machine learning partis around our data lake and what
we're collecting and what we'reknowing about medical devices
and what we're seeing.
And when I mentioned those 20million devices, we have to look
at things like vulnerabilities.
So there's knownvulnerabilities, there's
thousands and thousands of them,but what does that actually
(21:57):
mean?
You could go to a customer andgo well, we found 20,000
vulnerabilities across 000vulnerabilities across your
environment.
Okay, well, what am I going todo about it?
yeah you want to know knownexploited vulnerabilities,
because that's the bit that youwant to dissect and go.
Well, known exploitedvulnerabilities are going to be
more important.
But what does that mean to yourorganization?
Yes, based on what we're seeingthrough similar organizations,
(22:19):
they've got similar technologywho have potentially had that
vulnerability exploited.
So we're using a lot of ai towork for our dollar lake of all
of the devices that we're seeingthe firmware versions, but
breaking it down to moremeaningful, actionable items,
which is don't go and try andpatch 20,000 devices because it
(22:41):
doesn't really matter and you'llnever, ever be able to keep up
with the CVEs and the patchesand everything else.
But let's look at the knownexploited vulnerabilities,
specifically those that areassociated to a subset of
technology which is in yourenvironment, that's where a lot
of our AI is coming in, so it'spinpointed for that particular
(23:02):
customer.
So we can look at a customer Aand say we know what you've got
and we know where you shouldfocus your attention, rather
than having this minefield ofdevices with risks associated to
them.
And, yeah, trying to make itmore meaningful, to give them
the tools to be able to quicklyremediate what they have to.
Michael van Rooyen (23:26):
Yeah, yeah, it's fascinating.
And if I think around then youknow you talked about SOCI
before.
You mentioned SOCIAC, which isvery, very critical for
Australia.
The government's really focusingon how we secure critical
infrastructure and medicalobviously is one of the key
pillars to that.
Can you talk a little bit aboutwhat you're seeing customers do
from the medical field aroundthe supply chain of that,
(23:46):
because everyone thinks aboutSockie as its own entity or for
that entity, but we're nowseeing a lot of discussion
around the supply chain being.
Part of that Is that some ofthe conversations you're having
with customers as well about howthat blast radius is extended.
Jason Payne (23:59):
Yeah, so a piece of work that I've looked at
personally.
So you may or may not know, andyou might be amazed to know,
that out of all the hospitalspublic and private sector
hospitals across australia, only91 hospitals are designated
sake hospitals all right.
So the way the governmentdefines which hospital has to
(24:22):
comply with SOCI is based ondoes it have a critical care
facility or uni?
Michael van Rooyen (24:27):
Yes.
Jason Payne (24:27):
So I look at this and go well, every hospital
that's got patients, regardlessif it's got a critical care unit
, intensive care unit, theyframe me.
So out of the hundreds ofhospitals we've got in Australia
, only 91 of those have to becompliant for.
Michael van Rooyen (24:47):
SOC-E Wow.
Jason Payne (24:48):
And it all goes back to politics again, because
if you say all the hospitalshave to be compliant, they're
going to need money to be ableto do it.
So where's that money going tocome from?
The government's going to haveto find it to actually pay for
it.
So what they've said is okay,okay, we're going to take a
subset.
So those 91 designated sakehospitals then have to have
(25:08):
those requirements in placewhich we can help with and we
can.
We can do that work with ourpartners as well.
Which is how do you know whatthose critical assets are?
How do you, how do you map thatto sake in terms of that supply
chain of?
Okay, what does that supplychain look like?
Or what are those devices thatmay have to be reported on for
SOCI to Home Affairs?
(25:29):
So we help with that and we dothe same with Essential A.
So all these hospitals have tobe.
There was new requirementscoming out with Essential A that
known vulnerabilities have tobe remediated within a certain
time frame as part of Level 1,Essential 8.
But again, you need to know whatyou've got to be able to
remediate those vulnerabilities,and that's how we can help our
(25:51):
customers as well with thingslike that, yeah.
Michael van Rooyen (25:55):
Looking forward to the future, what are
the trends and developmentsyou're seeing on the horizon for
the healthcare?
Iot, iot, security, securityand just the cybersecurity
aspects as a whole?
Jason Payne (26:06):
Yeah.
So a lot of the CISOs we'vespoken to in healthcare is they
want a standardized framework,especially for medical device
manufacturers, because medicaldevice manufacturers.
They've all got proprietaryprotocols.
They're all using differentencryption methods.
There's not a standardizedframework, which has happened in
OT.
(26:26):
So we need to get thehealthcare organizations
together to lobby towards astandard framework, because
we're seeing things like, okay,tls encryption on certain
medical devices, and again onemanufacturer will use one way of
encrypting the traffic andanother one will use something
(26:48):
else, and we can see certainthings in one header we can't
see in another header, andyou've got TLS for wireless
devices.
There's all these differentmethods that, from a security
point of view, everyone's tryingto be at the forefront to
ensure that they're mitigatingthe problems.
But it's not standard acrossthe industry.
They're all doing their ownthings.
(27:09):
So, I think what we need to seeis we need to see
standardization across medicaldevice manufacturers.
Michael van Rooyen (27:15):
Of that, is there some innovations that
you're allowed to talk toBecause I'm sure there's always
some skunk works going on withwhat you guys are doing but some
innovations and capabilitiesthat your team's bringing to the
healthcare sector or othersectors?
Jason Payne (27:27):
Yeah, so we've got various facets of how we develop
our products.
We've got Team 82, which is athreat team, so our threat team
are constantly looking at waysto innovate based on what
they're seeing from a threatpoint of view.
So they're actively looking atways devices can be exploited.
We also obviously take a lot offeedback from our customers as
well.
So one of the things whichwe're proud of at Claroty is
(27:49):
part of our ideas portal that wehave, where our customers can
submit what they want out of ourplatform and what they want us
to put our development andresearch into.
So, again, we're looking atthat as well.
We're actively talking tomedical device manufacturers to
get an insight into what they'redoing.
So outside, outside of nothaving a common framework or
standards with thesemanufacturers, we're also
(28:11):
looking at ways that we canintegrate better with them,
because what we want to makesure is that we're giving
customers the best visibilityinto those devices and what's
happening on the network.
So a lot of what Clary does aswell is that we're doing a lot
of research and development,working with medical device
manufacturers to pullintegrations from them as well,
so enriching information that'scoming back from these
(28:35):
manufacturers whilst theydevelop their own kind of
security measures as well.
So there's a lot of stuff we'redoing there in the background
to ensure and we need to do thatbecause we need to stay
relevant.
So of course, that's a lot thatwe do in terms of strengthening
and broadening out and alsothrough our alliances as well.
So we've got we've got a good,good strategic alliances as well
(28:56):
yeah, fantastic, yeah, that,that, that's, that's, uh, you
know.
Michael van Rooyen (28:58):
Again back to that in a starting point,
right, if you can do that.
Very interesting, as we getcloser to the end of our
discussion today, which has beenvery insightful, is, um, you
know what?
What advice would you givehealthcare security leaders or
operators, or in the tech spacethere who are looking after
these facilities around some ofthe challenges that they're
facing in securing these devices, particularly as we see?
(29:21):
The continuous explosion ofdigital transformation,
explosion of devices, iot, etcetera.
Yeah of digital transformation,explosion of devices, iot, et
cetera.
Yeah, yeah.
Jason Payne (29:27):
As more and more devices are coming on the
network, actually what they doand how they communicate and the
characteristics of thosedevices, and it's becoming a
bigger and bigger problem, asyou mentioned, as more and more
things get connected.
So from a security point ofview, you need to understand
what your risk profile is, andthat's not.
(29:48):
I've got all my medical devicesin a CMDB or in a database that
says, well, okay, I know whatthose are, okay, that's fine,
but a database is not going totell you what the risks are
associated to them.
So for healthcare deliveryorganizations, they all need to
have a baseline understanding ofwhat's communicating on the
network and, as I mentionedbefore, even if they're in a low
(30:10):
maturity phase, they need toknow what that risk is, because
without it, how can they reportthose ones that are psychic?
How can they report?
They can't if they don't knowwhat they've got.
So my advice is to healthcaredelivery organizations and
hospitals understand where thatprogram of work fits in in the
broadest scheme of things.
(30:30):
So they're all allocatingbudget towards security and what
that looks like and securingpatient records.
But you have to go broader thanthat as well, and and sometimes
it can be an area which, uh,it's a nice to have, yes, rather
a must have.
Yes, and we know the must haves.
Everyone's got firewalls andcorporate security for the
(30:52):
network and everything else.
But is it a nice to have?
It can't be seen as a nice tohave.
Michael van Rooyen (30:57):
A hundred percent.
Jason Payne (30:58):
They have to have this because that is where the
bad guys are going to come in,of course.
So, even if they want to startat a very, very small point,
which is just visibility, soeven if they want to start at a
very, very small point, which isjust visibility, and then
understand how that's going tobuild into their broader cyber
strategy, build something intothat strategy that takes into
account visibility of yournon-managed devices and I'm
(31:18):
talking about medical devices.
Yeah, of course, look that'sfantastic advice.
Michael van Rooyen (31:22):
One of the last questions I'd like to ask
participants of the podcast isto tell me about the most
significant technology change orshift you've been involved with
or seen during your time in theindustry, and that doesn't have
to be particularly aroundmedical or channel, or anything
that you've been involved withbefore Could be, you know,
outside of your domain or inyour domain.
Jason Payne (31:45):
Like what's the most significant thing you've
seen, impact us or you've beeninvolved with?
I think, as of today and evenseeing what we're seeing around,
this conference is AI.
Michael van Rooyen (31:52):
Yes.
Jason Payne (31:55):
It kind of blows your mind, yes, what we're
seeing.
And you look back in the futureand I'm an older person in this
industry now and you look howtechnology has moved along.
I mean, everyone's talkingabout AI and artificial
intelligence, but it is kind ofreal now and if you look you
mentioned chat, GPT and it'samazing how technology's moved
(32:20):
from now.
We've got all this AI and allthis information and all this
data and you're seeing theserobots that Elon Musk is making
and other companies are makingand it is scary and you think
that everyone's talking about.
In the future, you have a robotat home doing things for you.
Michael van Rooyen (32:36):
The Jetsons right.
Yeah, that's right.
Jason Payne (32:39):
And you aren't starting to see that happening.
So for me how it has come about.
And I remember in one of theoldest search engines before
Google there was a search engineprior to Google, around the
same time, where you were typingsomething, you'd ask a question
.
Michael van Rooyen (32:57):
Right.
Jason Payne (32:57):
But you never really had the smarts to really
answer the question properly asopposed to what Google can do
now and what AI can do.
It just blows my mind a littlebit where it's come from.
Oh look, it is amazing.
Michael van Rooyen (33:07):
mind a little bit where it's come from.
It is amazing, right.
Jason Payne (33:09):
Einstein.
Was it Einstein or?
Michael van Rooyen (33:10):
which one?
It was yeah, yeah, yeah.
But I mean their vision waseffectively what we're seeing
now with AI.
Right, I mean asking that andunderstanding context and as we
build out, I mean it isphenomenal.
And then I think about you knowthe data behind that, the
networks to support that?
Yeah, you know.
Know the, the data behind that,the networks to support that?
Yeah, you know industry?
Uh, one of the reasons in ourindustry and love our industries
it just continues to change,right, it evolves, yeah, all the
(33:31):
time.
I think we've all been verybeneficial in, in enjoying that
journey.
Yeah, it always surprises mewhen we think we're kind of
capping out on where we thinkshould be it.
Just something else comes leftfield, right.
So yeah and, look, I appreciatethe time today having having a
chat to me.
It was an excellentconversation, you you know,
regarding, you know really, thevisibility and all things in
that, and particularly medicalfor those who hadn't really
(33:52):
heard about the space.
So again, jason, reallyappreciate the time.
Yeah, pleasure.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy And Charlamagne Tha God!
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.