Securing Healthcare – Navigating Patient Data Challenges with Banyan’s Innovative Solutions

Ashur Kanoon:
Hi everyone. We’re just getting started here, so give us a minute and we’ll kick it off.

Andrew McCarter:
Hey, I’m a real person. All right.

Ashur Kanoon:
Hey Andrew. Welcome. Welcome. All right, we have a couple folks on, let’s just give it a minute. I will start sharing slides and we can kick it off in a second.

And you can hear me loud and clear?

Andrew McCarter:
I certainly can.

Ashur Kanoon:
Okay, awesome. And I will try to keep an eye on attendees and questions as we present.

Andrew McCarter:
So will I.

Ashur Kanoon:
All right, Andrew, let’s get this thing started. Hi everyone. Thank you for joining our Securing Healthcare webinar. I’m glad to be joined today by Andrew McCarter. We did have Colin, who’s our VP of engineering, signed up for this, but last minute health appointment, he actually had a healthcare thing he had to go to for himself, so we’re lucky enough to get Andrew, once again, get on. Andrew, how about you do a quick introduction.

Andrew McCarter:
Hey folks. Andrew here in the products side of the house of Banyan. So Colin would be my leader in charge. But I’ve been with Banyan for about two years and in my previous life I worked a lot with healthcare, so a little foreshadowing for that in the future slides that we have.

Ashur Kanoon:
Excellent, thank you. And I’m Ashur Kanoon, VP of Technical Marketing. I’ve also been in this security space for a long, long time, working with some pretty big healthcare customers like UnitedHealthcare on the provider side, insurance side, as well as many, many different hospitals. So let’s kick this off. Actually before we kick this off, for folks that are attending, if you have questions, please feel free to use the Q&A or raise your hand. We’ll try to get to the questions at the end. But again, thank you for joining and let’s get this thing started.

So Andrew, first let’s actually kind of talk about this problem. So based on your experience, is this whole healthcare security and access challenges a theoretical problem? What have you seen?

Andrew McCarter:
I was thinking of the answer I wanted to provide. I think everybody wishes that security and access just automatically worked and they didn’t have to think about it, so then it would land in this theoretical space, but that is the antithesis of what healthcare has. So my background is I consulted for a lot of healthcare companies in the access space for a long time, I used to work for an identity provider. And some of the healthcare clients that we had, they were the most technologically advanced in their IDP solutions because of this problem where it’s really a double-edged sword. The hospital system needs really stringent security and access controls to make sure that they can still operate and deliver first-class and really good care for individuals, while also trying to make it as painless and as simple for all of their employees.

So there’s the double-edged sword of those normally don’t go hand-in-hand, there’s normally trade-offs that need to be applied and healthcare normally has to handle all of that and pick those trade-offs pretty prominently. So there’s definitely a huge problem here in how healthcare has to handle security and access and it’s definitely not theoretical.

Ashur Kanoon:
Yeah, yeah, yeah. In the past when we used to look at telemetry information, we always ask the same question to everybody, “Why didn’t you turn on this feature?” And they’ll always say, “It just made everything hard. Nobody wants to use it.”

So let’s look at some current breaches. This is one that, this thing that I’ve been reading about that’s been going on for a while was the 23andMe and this one, it was pretty interesting. They first reported in October, initially it was only 14,000 customers, which doesn’t, I mean it sounds bad, but it doesn’t sound as bad. They tried to downplay it. And then recent estimates is actually around 14 million. And the one thing here is it wasn’t just credit card numbers, usually you’ll see customer information is usernames, passwords, credit card information. This was everything; illnesses, DNA. So this thing’s kind of becoming a pretty big issue.

And a couple of things that they pointed out in the last update they gave is the concept of credential stuffing where it’s really people reusing passwords, and then they started promoting two-factor authentication. And we know even with two-factor authentication, there might be some issues. What are some of your thoughts around just using two-factor authentication?

Andrew McCarter:
Two-factor is great in theory. We sit here and we know that a perfect way to authenticate a person is you lean on something that they know, which is their password, something they have, which could be a second factor, and something that they are, which could be a second factor as well, or even a third factor. And these are again, great in theory, but the execution of them can be really tricky. Text messages, right? SMS is notoriously easy to spoof and it’s becoming a really big issue, especially as most traditional two-factor authentication prompts are leading with a, “I’ll text you a number.”

And there’s just been case study after case study around that aspect. The most recent one that I can think about is Snapchat used to have a two-factor authentication and people were just stealing accounts for even some higher up celebrities and things like that. So it gets into this realm of, two-factor is better than nothing. It can certainly help with the credential stuffing, but it’s not, I would say, enough in this space that we live in where HIPAA compliance and other really critical information such as credit cards are so sought after.

Ashur Kanoon:
Yeah. All right. Yeah, it sounds like the next logical thing, add another factor of authentication, but we know that it’s still not enough. Looking at some of these other recent breaches, the ransomware has been happening a lot. Ransomware attacks. Phishing attacks, again, trying to steal credentials to get in. These third-party vendor attacks has happened a lot. I mean there’s some really, really big ones where we heard about people hacking into SolarWinds and then getting access to big Microsoft accounts, big federal accounts. These are just a few in the last few months.

One of the things that happens is this isn’t just an issue from a technical security side, this is also a pretty big issue on the brand side, like people not trusting any of these vendors anymore, especially of 23andMe or some of these other providers. It’s like they ask you for so much information and you just don’t want to give it information anymore.

So looking at some of the challenges of what we talked about, some of these, can you talk about that last one we have listed here?

Andrew McCarter:
Sure, Ashur. I actually would love to go back one slide and just kind of bubble up what these really mean when we look at them. So at least from the Banyan perspective, and I think even potentially from the industry side of the house, we look at these and it all stems from, there was a pinhole that was delivered to the attack surface. So these healthcare providers had some sort of pinhole that was able to get in, whether it be that phishing attack or ransomware attack. And what ended up happening is a propagation. So they recognized that, at least the malicious actors recognized that if they could just get in one little spot, then they could propagate throughout the entire system. That’s how the ransomware attack is so successful because if it was just one or two servers, no one would really care. They would just blow them away and start them back up.

But when you’re talking about an entire system-wide ransomware attack, that’s when it gets really hairy. Same with the vendor. As soon as the vendor is hacked, then all of a sudden you have that pinhole that is then approached and that third party is just the mechanism to deliver that pinhole, which is then they lead on ransomware attack or something else. So it’s really the control of the attack surface and where does that attack surface, what does it surround? And I think we’ll get into that soon around what does Banyan do to kind of address those two pieces.

Ashur Kanoon:
Okay, cool. Yeah, we definitely… I mean the whole propagation thing, the next thought I have is, all right, propagation, I got to figure out how to do some sort of segmentation. So I’m sure we’ll get into that once we talk about what Banyan does.

So from a security and data protection thing, that’s one piece of it. What about the challenges to the end user?

Andrew McCarter:
So remember that double-edged sword that we were talking about? So we need to protect from the data breaches and the ransomware threats and et cetera on one side, but then we need to make it as simple and as painless as possible for the care providers and the employees of these healthcare systems. And today there’s a lot of challenges out there where the software solutions that are intended to help, think your traditional VPNs or your identity providers, they don’t do a great job on understanding that there are potentially vendors coming in and acting as employees, contractors, or even especially in the healthcare system where you might have someone like a traveling nurse where they go and work for one hospital system the next day to another hospital system, etc. And this is their routine for months on end as they go out there throughout their career.

And in those cases, what I’ve seen and how people have solved it is they’re carrying around two, sometimes three laptops to address these problems, which is where you’re failing on that second side of the sword, on that second edge. So it’s a big challenge that the software and security vendors for healthcare need to recognize. And what we attempt to do at Banyan is we try to recognize that there are all walks of life for the employees of these healthcare providers and we strive to make the end user experience as painless as possible. So that’s where we’re sitting here and we actually have addressed these challenges of multi-organization care providers, which we can show later.

Ashur Kanoon:
Okay. Yeah, I think for the first half of my career it was always, the decision was, do you want to maximize security or do you want to maximize the end user experience? And it was always two sides of the spectrum. You can’t have both. So all right, let’s talk a little bit about what Banyan does to help.

Andrew McCarter:
Absolutely.

Ashur Kanoon:
All right, so there’s a couple of things. I always call these the Banyan superpowers. Again, just having spent so much time in this space, there’s the, how do I get an admin to use it? And then how do I get the end users to actually use it and not avoid it? So let’s talk first about hybrid access. What does that mean to us as one of our superpowers?

Andrew McCarter:
Absolutely. So this was a principle that Banyan started with. So Banyan was born out of the remote-first kind of culture, where we led with this principle that an employee is going to do the same validation and have the same threat analysis done on themselves no matter where they are at within the organization’s architecture or ecosystem. So a lot of times when security vendors come in, there’s this delineation between, you are within the organization’s ecosystem, so you’re maybe on their Wi-Fi or they’re plugged in as a wire to the LAN, we’re going to treat you differently than maybe an employee that is using a VPN to get access.

We do away with that notion, right? We say that there is no such thing as being on-site or within the architecture of an environment, and therefore we treat everybody with really stringent rules, but behind the scenes, to actually evaluate your access. So when we say hybrid access, it means we don’t care where an employee lives or where they are, we will treat them with the same security scrutiny to evaluate their level of access that they’re allowed. And this has worked wonders in terms of especially the healthcare system as we mentioned, the roaming healthcare provider or sales individuals that go in and out, etc. We don’t need to add that extra nuance of, this is inside the org and this is outside the org.

Ashur Kanoon:
Yep, yep. Yeah, and just to sum it up, as an admin, I don’t have to be a VPN expert, a NAC expert. And the NAC side, the on-prem NAC side, is actually pretty hard because not only do I have to know how to use the NAC, I have to also figure out, how does the wired switching environment fit in? How does the wireless environment fit in? If I’m doing firewalls on-prem, how does all that stuff fit in? So just having one system to provide all the access just makes it way easier.

All right, Flexible Edge. When we talk Flexible Edge, what are we actually talking about?

Andrew McCarter:
So this is that second principle that Banyan started early on with the career and the creation of the company. So a lot of times when you look at ZTNA providers or VPN providers, they only have one method to actually deploy the solution. You’re either owning and managing their software locally within an on-prem environment, or they’re offering you some cloud version of their technology where you essentially gain the capabilities to use the software, but that company, that software vendor owns all of the technology stack within the cloud.

We lead with both architectures because we don’t feel that the environment that organizations are going to is not a pure software defined data center solution where everything is up in the cloud and everything is rented out from maybe Azure or AWS. But we also don’t believe that it’s going to go back to a pure on-prem deployment model.

There’s going to be a hybrid of both forever. There’s going to be necessary things, maybe old mainframe applications or stuff that is really sensitive that we want to keep on-prem and then more modern stack solutions or easier deployed applications would live in the cloud. And what Banyan says is, that’s not a problem. We understand. And with our way of deployment, you can access both of those and own your data plane where you need depending on what type of solution you have.

So that’s all to say our Flexible Edge allows you to connect to your on-prem resources that you never intend to move to the cloud or want to move to the cloud but don’t have the capability to do so yet and own that data plane. You also have an easy way to essentially gain access to our Global Edge, which gains access to all of the SaaS applications and anything else that you want to manage in the cloud without needing to deploy any of our Edge technology. Banyan can help you with that. So it really gives you that flexibility, as the name calls out, to play around to what your needs are as an organization.

Ashur Kanoon:
Yep, yep. And one of the other things that I’ve heard just from customers is using our Global Edge network, having them deploy super lightweight connectors, we could do that pretty much on anything. I’ve heard someone that had to get access, they had just done this consolidation, it was a really small healthcare, like one office firm in the Midwest. And they basically just shipped them a laptop and said, “Get the laptop on your Wi-Fi.” And then they just installed a connector in Docker on the laptop and they were using that temporarily until they actually integrated them in. So it was something super light and simple. They didn’t have to worry about DNS, they didn’t have to worry about firewall, they didn’t have to have a external static IP address. It was just super simple and quick.

Okay, cool. So let’s talk about a few more features that we haven’t talked about yet. These are some of the features that I just threw out there. Pick one and let us know what it is.

Andrew McCarter:
Sure. So I’ll just kind of go through at the top and work my way down. So we kind of talked about the multi-org support a little bit before, but again, this is a primary feature to help end users and the unique situations that healthcare arises to with dealing with traveling nurses or vendors that come in. We have an easy way to adopt that where you don’t need to reinstall an application or sign in and sign out or even carry around a second laptop. Our native technology for the app that sits on a device that gives you ZTNA access, that protects you from public internet, that all can do multi-org support. So you can easily switch in and out of the different companies that you might be working on, which is super useful again for those nurses that might work with multiple hospital systems, same with doctors, et cetera.

From a clientless option, we recognized here at Banyan that deploying an app might not be the best way to support end users. So we’ve given more flexibility on our methodology to actually support access into private resources in the ZTNA solutions. And this leads to clientless options. So today we have a wonderful Chrome extension that can sit within the browser and you can gain all the access that you need to potentially websites or servers without ever leaving the browser, and never needing the aspect of an application that needs to be managed in one way or another.

Ashur Kanoon:
Okay, cool. What about device trust? What does that actually gain the organization?

Andrew McCarter:
Yep. So great question. As we were bringing up that perimeter mentality where we have the attack surface and we need to protect that attack surface as best as we can. Well, device trust helps with that. We leaned on the concept of NIST, which defined what zero trust was. And with trust, NIST came to us, the government and said, “Hey, the way that we’re going to start looking at trust for employees is gathering aspects of everything about them.” Not just a simple password or MFA to establish trust, but rather the concept that you can look at properties of the device, whether device is encrypted, if it’s on a good Wi-Fi, if it’s up-to-date and even third party attributes, maybe that device being registered inside an antivirus solution, and how does the antivirus look at the device right now? To employee attributes; how often have they logged into services within the organization and is it a typical employee day or is it a non-typical employee day?

So all of these, we at Banyan collect and determine a value for the device, which is their trust score. That trust score is then used to determine if they’re actually allowed to go past that attack surface to access anything that they have been assigned to. So in a case maybe where we say if your device is unencrypted, we’re not going to let you into access anything, we can establish that real time so that we can prevent employees from accessing anything if they’re unencrypted. Or if they’re currently accessing something and they become unencrypted, we can kick them out. So it gives us that capability to do what we call also continuous authorization, which is normally paired directly with this concept of device trust.

Ashur Kanoon:
Got it. So it’s not just a check right at the beginning, but also while the session is happening. So with the device trust, I know for all the VPN clients or even some of these very basic ZTNA offerings, it’s very binary. Once you’re out of compliance you can’t access anything.

Andrew McCarter:
Yes.

Ashur Kanoon:
What does our offer give?

Andrew McCarter:
So I think Banyan leads with this concept of flexibility. I think that’s the term we should land on for today’s presentation because device trust you can configure as an administrator to allow employees different access to different things depending on how trustworthy the device is. So if you’ve run all the checks and the employee is essentially a hundred percent trustworthy, they can gain access to everything. But maybe at 50% trust or a medium trust level, they can only access the home page for the healthcare provider. And maybe at low trust you can only access the support portal to get help from the IT team or anybody else that might be useful to help you get more trustworthy.

So we give that flexibility to allow for this non-binary solution where, oh my god, all of a sudden I can’t access my VPN, I can’t access anything, I’m now using my personal device and trying to work with IT who cannot reach even my laptop to assist. So a lot of that was trying to again, ease of use for the end users and for the admins that take care of the software and security.

Ashur Kanoon:
Okay, cool. So let’s leave this ease of use one because I’m going to show a demo in a second. How about you hit that last bullet, the ITP and DLP?

Andrew McCarter:
Sure. So the last piece here is we’ve talked a lot about your own software solutions, whether it be web pages, servers, applications, etc, that you need protecting, but we recognize that that’s not the only internet based solution, or sorry, internet that employees access. So ITP, or what we call internet threat protection, and the concept of DLP we can layer on to say, “Okay, we’re now protecting your own private resources, your websites, your applications, your servers, but also if this employee is using something that is a third party or just the straight old internet, we can also protect against that.”

So we protect against your threats that we saw previous where phishing attempts, malware, crypto bots, translation sites, things like that that are known to be rather risky, as well as we can layer on your compliance of your corporation to say, “Hey, nobody should have a patient chart downloaded to their device.” We can prevent that through DLP. So we’re kind of this middle man for all of the network needs of a device to make sure that the employee is doing what they need to and they’re not putting themselves or anybody else in danger.

Ashur Kanoon:
Okay, excellent. So with that, I’m going to just show a couple quick demos. We have just a few minutes left. So let’s see.

So the first thing I’m going to show is the Google Chrome that we talked about, the Google Chrome extension. So few things to highlight. One, any user can install this, it doesn’t require privileged permission or admin permission. So here I have it installed and I’m just going to highlight a couple of things.

So one, you can see as soon as I launched it, the first time I logged in, I was already in. It is looking at my trust level. In this case, my trust level is high. It tells me what services I have to access. I don’t have to memorize any URLs and I have to keep a bookmark. It tells me what I have access to based on the type of user I am and the state of my device.

And then I’m going to just go into our trials platform. We use this all the time to demo. I click open, and you see it lets me in. It’s really that easy. I launch it, I click what I need, and now I’m in. I didn’t have to use the client or anything like that.

I’m going to go ahead and minimize these. And now I’m going to launch the client just to talk about a few things about the client as we wrap up. So one, even without being logged in, Banyan is always aware of my compliance state. This is checking everything in real time, like you mentioned, Andrew. And that information is always being sent. I don’t have to actually be logged in for the system to be aware. And with ITP, ITP can also be running without me logging in. So again, from a end user perspective, it’s super easy.

I’m going to go ahead and click login and it is logging in on my other window. Let me bring that up. So it’s logged in through the browser. I didn’t have to put in any passwords because we’re doing authentication based on certificates. Again, back to making things easy. And if I go back here, once I am logged in, again, we have a list of services that the end user can launch, again, without having them to sit and try to figure out what they have access to.

So the authentication is super easy. For some services, you don’t actually even have to log in and once they’ve logged in they can run things from here. And I just want to keep the demo that simple.

Sorry, I’ll go back to this. Just a wrap up slide. So for the folks that are on, thank you. We tried to keep this within 30 minutes. If you have any questions or you want to see more demos, you want to get in touch with us, please visit us at www.banyansecurity.io. Andrew, thank you for jumping on last minute. Any parting words?

Andrew McCarter:
I think if I was to try to sum up Banyan in a one or two sentences, I would say that Banyan is the flexible, all encompassing solution for your network needs. We do VPN, ZTNA, we do internet access, all within a simple model to manage and deploy. And that’s what we strive for, and if that’s what you’re looking for, I would love to chat with you.

Ashur Kanoon:
Excellent. All right, thank you so much Andrew. Thank you for the folks that are on and if you have any questions, please reach out to us and let us know. Thank you so much.

Andrew McCarter:
Thank you.

 

Close Transcript