John Riggi (Host): Hello everyone, thanks for joining today. I'm John Riggi, your National Advisor for Cybersecurity and Risk at the American Hospital Association. Welcome to AHA Preferred Cybersecurity and Risk Providers Bringing Value, a podcast from the American Hospital Association. Today's topic is how healthcare can fight back with Identity First Security.

In today's cybersecurity environment, the threats are tremendous, which are facing healthcare. Cyber attacks of all types, data theft attacks and ransomware attacks have increased several hundred percent just in the past few years. One of the primary tactics that our cyber adversaries continue to use are identity based attacks, whether it's phishing emails or credential theft.

Ultimately, these type of attacks allow the bad guys, these foreign based hackers to penetrate our networks, steal patient information, and in the worst scenario, deploy highly disruptive ransomware, which disrupts and delays healthcare delivery, posing a risk to patient safety. Today I'm really pleased and honored to have with us David Bardan. He's the General manager and head of healthcare for CLEAR and Jim Bowie, Chief Information Security Officer at Tampa General Hospital. CLEAR is recognized as an American Hospital Association preferred cybersecurity and risk provider. Thanks for joining the podcast today, Jim and David.

David Bardan: Thank you. It's great to be here.

Jim Bowie: Thank you. Very honored to be here.

Host: David and Jim, let's start off the conversation today by learning more about your professional backgrounds and what brought you to CLEAR and your collaboration together.

David Bardan: Excellent. Well, I'll get started. Well, I first and foremost joined CLEAR roughly about three years ago to help CLEAR move into healthcare. So as many know, CLEAR from the airport. We've operated there in a zero fail environment for nearly 15 years. So I was excited to come on board. I'd actually been in healthcare for about 15 years, myself, started my career at Deloitte Consulting outta Minneapolis, working with several major healthcare organizations.

I moved to New York about 10 years ago and actually joined a startup called Zocdoc. And help them scale their business into the landscape of healthcare systems. And just before CLEAR, I actually spent some time at a company called TytoCare, helping bring one of the first of its kind medical devices to the US from Israel to pair with the virtual exam. Professionally, I saw firsthand how in inefficient healthcare systems, in many ways can be slapping, you know, call center calls on many different type of operational issues, utilizing fax machines to this day, having multiple versions of a patient in their system.

Personally, I live in New York and I consume care through many of the care systems in my area, and I'm still in many ways filling out clipboards. Sometimes even at the same system as I'm literally going from one floor to the next to get my labs drawn. It's a disconnected experience. When you look at the numbers, right, we spend a lot of money on healthcare here. It's about, I think, 18 or so percent of our GDP roughly equating to four or 5 trillion a year, and a quarter of that is, is tied to administrative task and burden. So I, I thought the opportunity, you know, at CLEAR was real. I knew it was a major undertaking. That really required a bottoms up approach, and I believe CLEAR was well positioned as a company, given its natural focus on the consumer.

A lot of companies aren't necessarily in the space, focused on the consumer. Actually sat down with Nandan Nilekani, founder of Aadhaar out of India. It's a really unique system. It's, it's the largest world's largest biometric identification system. They have 1.4 billion people on this. I really wanted to understand the secrets to success and, and it really came down to them being hyper-focused on the consumer.

Their version of their EHR is called the PHR, the personal health record, and they have found ways really to meaningfully create value to the consumer. For example, streamlining payment. That's what drove the adoption. So I'm incredibly excited about what we're doing here at CLEAR, and I'm even more excited to be working with Jim.

Jim, I'll let you, uh, introduce yourself as well.

Jim Bowie: Thank you. My name is Jim Bowie. I'm the CSO at Tampa General Hospital. I've been here for about two years in that role. Um, before that I was director of cyber ops, uh, at Moffitt Cancer Center, and I was actually at Tampa General Hospital before that for eight years prior, in a variety of roles, director of infrastructure, security engineer. And in my previous life before all that, I was in law enforcement where I did do digital forensics and cybersecurity for a good while. And it's good to be here.

Host: Thank you both and a really a wide variety of perspectives. David, you're bringing truly an international perspective. It's really interesting what you spoke about, the international health record system there and then obviously Jim from a uh, state and local perspective. It comes down to identity and we, even in my previous role at the FBI, even when I was working organized crime cases, healthcare fraud played a major role in funding, for instance, Russian organized crime.

It all came down to ultimately identity. Who is the patient and who were they, uh, attempting to portray as the patient for false billing, all types of criminal activity, and of course, post 911 being in New York, terrorism. And then where it became crystal clear, we needed to secure our airports against continued potential acts of terrorism.

CLEAR was obviously a major player in helping defend the nation against the terrorist threat, and I believe personally they can be a major player in helping prevent cyber attacks, but also helping prevent healthcare fraud, which drives the demand for healthcare records. I've said this earlier this morning in another forum.

If there wasn't the value, the demand for healthcare records, we wouldn't get hacked so much on the one side. Why is there value? Because quite frankly, it's easy to commit healthcare insurance fraud. One of the drivers doesn't address ransomware. But anyway, so let's get back to talking more specifically about the breaches here, targeting the healthcare systems.

You've heard my perspective. We see a massive increase in cyber attacks targeting protected health information, And the ransomware attacks. Be really interested from each of your perspective, what you're seeing in terms of the attacks and what are the most common attack vectors you're seeing targeting hospitals today?

Jim, why don't we, uh, start with you first?

Jim Bowie: That's a good question. It's actually seems to have really shifted. Tampa General actually had an incident a few years ago. It's public knowledge and it was because of a third party risk scenario with a compromised user. And since then we've shored up those defenses And what we saw the attackers for the last 18 months doing is just constantly trying to get to the user identity.

We're constantly getting phone calls to our help desk five to 10 times a week trying to reset privileged users' passwords everywhere up from executives down to doctors. Any employee they can find basically on the dark web and the old way of doing things was to challenge them with things they would know.

That's supposed to be secret, right? Like, you know, Hey, what's your social? Where's an address we have for you? What's a phone number for you. All that data's on the dark web for everybody. We've kind of lost that game. That's no longer secret information. Can't use it as an acceptance in a remote capacity to verify somebody.

So we had a process we put in for a while where we had to come on site and we could reset your password that way. But that turned out to be a major disruption in the workflow for the users and most often our clinicians who needed to treat patients right then and there. So that wasn't acceptable. So we had to come up with a solution to remotely identify someone on the fly that had 100% fidelity that we could trust.

We knew what would happen. We knew when it came back and said, This is Jim Bowie, that that would in fact be Jim Bowie. So we had to turn to a solution very quickly.

Host: I think you brought out a key point. Everybody's personally identifiable information is out on the dark web. Since 2020, just for protected health information, which contains everybody's personally identifiable information or most of it, 560 million Americans roughly have been impacted by hacking incidents reported to HHS Office of Civil Rights. I know what you're thinking, John. There's only 330 million people in America. That's right folks. Everybody in this country has had their identity or protected health information stolen or compromise at least once, many more than once, as I have multi stacks of credit monitoring letters in my own home, it seems.

So using that information, a social engineer helped us reset passwords, add devices, it became crystal clear, pardon the pun, but I think it's appropriate. We need to verify the person, not the credentials. We need to verify the identity of the individual, the person behind those credentials to allow access.

So David, Jim shared with us various attacks, uh, methods, and obviously that these attacks result in the disruption of patient care. We thought we had a solution come on site, just not practical in a healthcare environment. As Jim said, doc's gotta be on site to care for patient. David, can you describe how CLEAR's multi-layered identity solution helps prevent breaches related to social engineering or credential theft?

David Bardan: Yes, so look, many breaches begin with someone pretending to basically be someone they're not. Right? Identity is often the weakest link. Solving for identity is foundational to really stopping these social engineering attacks, these credential based attacks before they start. Unfortunately, the traditional methods like usernames, passwords, scanned IDs, they're no longer sufficient. An id, right is not identity.

Identity is dynamic. It's multi-dimensional. It requires more than just a static credential. And what CLEAR is doing is it's taking this multi-layered approach to Identity Verify going beyond the document to confirm who someone truly is, right. And at the end of the day, identity verification is actually kind of a commodity.

There are many companies that do it, but what CLEAR has done is it's created this multi-layered orchestration stack, that actually utilizes a number of different vendors behind the scenes to optimize for the greater experience and conversion in a market. Right? California is very different than Florida, and Florida can be very different than New York.

So even the type of documents, right, that we accept in a respective market may differ. And so with CLEAR ONE, organizations have the ability to actually configure a number of different checks. I think it's over a 60 different checks across the dashboard that we provide to them. And from biometrics to device to network identity integrity, we can effectively, you know, give them the means to put the right level of assurance in for the respective use case they need to meet, right? Businesses can stack these respective checks to create a multi tailored identity approach based on their, their respective needs, whether it's a patient coming through to schedule their appointment, checking into the doctor's office, picking up a prescription, right?

These are all different experiences that command different levels of assurance, and so our approach ensures the right people in those moments get that access. And help prevent the breaches before, of course, any damage is done. One of the other unique aspects to CLEAR as part of that multi-layered approach that we have is we do have the certification and credential to do an IAL2 compliant level check.

And we're only one of a handful of companies that do that in terms of, you know, being audited and having that level of certification and, and IAL2 is a real unlock. Last year joint commission actually announced that IAL2 is an approved mechanism now to, you know, even onboard practitioners.

To sum it all up and really bring it to its simplest terms, a lot of care organizations have employed different types of MFA. This is a different type of MFA, right? We're not just proving that the device is associated to somewhere. We're proving in that very moment who the human is behind the device. And look, this isn't, you know, just prevalent in healthcare.

It's prevalent across a multitude of industries. We actually just recently announced a relationship with DocuSign, right? And in their case, right, it matters who the human is behind the agreement. And so bottom line point is we live in a, you know, digital world, a digital economy, And we need better means to digitally identify individuals.

Host: Thanks Dave. I'm going to ask you a couple of follow-up questions to some of what you just said. First, understanding that we may have non-technical folks listening in. Hopefully we do, because cyber is truly an enterprise risk issue that impacts everyone from the clinicians to the on the business side. In layman's terms, talk to us a little bit about very generally, IAL2.

David Bardan: Yeah, so there are different levels of assurance that you can effectively accomplish. IAL2 basically goes beyond just the means of doing a document based level check. It's basically a document based check and one additional check. An example of that in practical terms, where we've all experienced that is when we, for example, had to bring a series of different documents, maybe a utility bill, right?

You're effectively doing a multitude of checks in that moment. So our secret sauce here is we've effectively done and met the standard of what IAL2 requires, which is a document plus one additional check behind the scenes. It can be, for example, like a phone check as an example, as part of that stack, and we're doing a multitude of these, including giving the partner a dashboard to do additional checks as they see fit, given the type of access that that individual's needing to get through to in that moment.

Host: So they can configure the level of access, selecting multiple checks. This isn't just biometrics, in other words.

David Bardan: Exactly.

Host: Mathematical conversion of the space between my eyes, for example, but linked to a device, linked to a browser, there's a number of checks that you can add on layers of assurance to identify again that the human behind that device, behind those credentials, is the correct human to gain access to those databases or those systems, so that's very helpful. Jim, let's uh, get switch back to you here for a moment. What can you tell us about the challenges that you had that led you to seek out a new identity verification solution for your workforce?

Jim Bowie: We had a bunch of them. One of which is if your help desk is in charge of resetting MFA and or passwords, they're going to make mistakes. They're humans. They get hundreds of thousands of calls a year, and for 999,000 of them, they, you want them to be happy, helpful, overly friendly, and you're asking them in the one time, a threat actor calls in to be difficult and obnoxious and be like, I can't help you.

We actually have a recording when we're doing some testing to proof this out. We called in and pretended to be a high privileged level, someone with super IT level access. That's the technical term. The help desk person said, I'm not supposed to do this, but you sound like you're in a rush, so I'm going to do this anyway.

They wanted to get mad at that help desk agent. I'm like, don't do that. They're meant to help. You have a bunch of helpers and people are programmed to help. It's just a brain thing. We're a community oriented species. You can't go against that nature. So I'm trying to remove the human from that whole process.

And I don't mean by the user, I mean from the decision-making processes. Are you, John? Are you Jim? So that was the first challenge. The second challenge was then if you set up MFA with somebody or you, you say, all right, we're, we're only going to use an approved device. The number of doctors, clinicians, users who have switched a device and forgot to re-enroll or turned in their device at a Verizon, and now they have a new one, it's 3:00 AM and they're trying to do an emergency surgery and they need to get back into the system.

I had to be able to tech agnostic or device agnostic, prove who that human was right there to re let them back in. With those two things in mind, I had to come to a solution that would allow me to verify again, with a hundred percent fidelity that the human that is there claiming to be who they are, is who they are without having a specific device or a phone number or something that we had hoped we had the right data in our HR system, which is not always correct either.

And that's where we went with CLEAR and they had that solution.

Host: Thanks for that, Jim. And again, we have seen the bad guys use technology to a point where they can use technology like we enact a certain security measure; they come up with a countermeasure, and as always, it's the human, that's the weakest link that we always find.

We have seen a really exponential increase in the targeting of help desks in the past couple years, not just by your average criminals, but by North Korean aligned intelligence officers seeking to gain access to systems or even in some of the worst case scenarios, to be eventually hired on as, as an IT worker.

Kind of a different scheme, but related to biometrics as well. And lately, as of the time of this podcast, we are seeing folks chain multiple help IT desk calls. So they call one Help IT desk to, for instance, to get acts, one little piece of information. It might be just a password reset. Or be able to add additional phone number, not necessarily multifactor authentication.

Then they call another help desk, and it's already in the system. There's a new phone number and maybe at a different help desk, for instance, a provider that's on the same electronic medical record, and they slowly chain their way in with these calls, never having to truly prove who they are, who they say they are behind the scenes.

But again, starting off with those generally available, personally identifiable information. So David, we're, we're having a lot of great discussion here about how the bad actors target healthcare system, so what makes CLEAR solution really especially well suited for preventing everything we're talking about, these unauthorized access to healthcare environments and stopping bad guys from working their way through the network, whether it's one piece at a time or the, the massive, uh, help desk compromise.

David Bardan: Look in healthcare, security and speed aren't just priorities, right? They're non-negotiables. When access is delayed or compromised, care suffers. And with CLEAR right, patients and providers can verify instantly with a selfie after a quick one-time setup. They enroll once and they use anywhere, whether that's in a context of a healthcare environment or outside of it, right?

Many people who use CLEAR use it in an airport context or verify through LinkedIn, right? The beauty of it is that it's networked. You can reuse it, which means that patients and providers, right, don't have to continue to re-upload documents to prove who they are. And in many ways this sets CLEAR apart, right, as a networked identity with the IAL2 solution that we effectively have in market. It also helps, right, that we've operated in a zero fail environment for 15 years, right? There's a lot of extensive trust and track record behind the product, working with the Department of Homeland Security and TSA and having to have the highest level of certification from a security standpoint.

Look, healthcare is hard. Let's be real. A care system like Tampa General has many, many different applications and systems behind it to operate as part of their tech stack. And what we've done here at CLEAR is we've really tried to make it easy, really over the last few years, integrate across the ecosystem, whether that be Microsoft, paying Okta, ServiceNow, Workday, SailPoint, and the list goes on, right?

In many ways, the heartbeat of these organizations is the respective EMR, like Epic. So we've invested heavily in these relationships to build our product in, right? Take Epic for example. We actually started working with Epic like many organizations do through what is called their vendor services connections hub path.

And after just a year of working with them in that light, Epic actually caught on, on the opportunity to really enhance their own identity verification stack in their own built-in system. And so we actually recently announced, uh, a collaboration with them in their toolbox program where they actually are building CLEAR directly and natively to be available to their customers.

And we're actually seeing this across the EMRs. They're, they're starting to take these attacks quite seriously. I'm not going to name names, but there are several that have more recently announced you know compromises and, and we're still evaluating in many ways the extent of the damage and these EMR companies, right, they're actually notifying their customers, their care systems of these bad actors that have gotten through that the care systems may have not even known about in some of these instances. And so, again, it's not just digital, it's it's physical experiences too. You think about workforce members and how they badge, for example, vendors that come on site to fix an MRI machine.

Visitors who come on site to visit a loved one. These are all moments that matter where knowing who the human is behind in that moment, the device, the tablet, whatever it may be, the kiosk can really make a, a difference in that moment and prevent a bad actor from getting through.

Host: So Jim, given all of that, could you share with us how Tampa General Hospital's partnership with CLEAR changed the way you approach employee access and security?

Jim Bowie: Yeah, so basically we removed the help desk from the situation at all. If an employee wants to reset their password or their MFA device, they go to a site that we've stood up. It's goes through our identity provider technology, and then for a challenge it goes to CLEAR. It says, all right, you want to reset your password, hands them off to CLEAR.

We've automated this process, CLEAR, runs through their process that David's talked about. It comes back to our system and says, this is in fact Jim Bowie. He's good to go. And it goes through and the best part about it is it fails closed. So if there's any doubt whatsoever, if a letter's off in what returns.

And just to be clear, this happens very rarely, and it has more to do with the individual than it does with the technology. If there's any doubt about that person being who they say they are, it automatically creates a ticket to my team. And now we know we have to investigate a possible attack or see what the issue is.

And most of the time the issue is that it was an attacker trying to reset. So it's all automated. If there is an issue, they can escalate to the help desk. But all the help desk is going to do is then call my team, who's just going to walk the user through the process of being like, here you go. You can click here, click there, verify this.

They get the message back, they get reset, they're on their way, and it's seamless. It's quick. I was surprised with how quick it was and how easy it is to do, and they move about their way. So now I don't have to worry about the human judgment of getting tricked, conned, frauded into resetting somebody. And it's made things much, much easier, much safer.

And then what I've noticed from there is they started moving into trying to attack our patient portal. So then we're put CLEAR in front of that too, and that's helped protect our patient population in the same situation. And the, the best part about that is the patients, we have a relationship with them, but we don't necessarily have an employee relationship. It's like, oh, hey John, I saw you at the water cooler the other day. Or, Hey David, we had lunch yesterday. I don't know. Or I may, I've never seen one of our many, hundreds of thousands or millions of patients before. So this gives us that reliable method to know who that person is, let them reset their own password and carry forward with their care.

And it's very quick and it's rapidly reduced our threat landscape and our risk. It's pretty impressive.

Host: Thanks for that, Jim. So David, some of the key points you brought out earlier and your experience in defending airports. When I really think about the criteria, speed, security, zero fail, almost completely incongruous concepts, almost impossible to achieve yet you're bringing that to healthcare.

So to close out this episode, David, could you give our listeners any final practical insights for making their organizations more resilient without slowing down care where lives depend on speed and accuracy?

David Bardan: I mean, I appreciated a lot of the points Jim made, but look, I think bottom line point is that the key is really to treat identity as a front door to your organization.

Whether it's a patient, a visitor, a workforce member, a vendor, maybe a student. If you're an academic institution, right? If you get identity right, you can actually stop a lot of the threats before they ever reach your system. I was actually on with Frank Harvey at a conference recently. He's the CEO of Surescripts, and he had shared to the audience, 98% of the prescription fraud that they see is tied to identity. Right. So you can actually really see how significant that is. And if you treat again, identity as the front door to the organization, you can really get it right. Focusing on the verifying who someone is not just the credentials that they have.

Right. And that's a lot of the issues that I think we're seeing in the market. We're asking them questions like. What's your badge number? Where, what street did you live on? What were your, you know, car payments 10 years ago? A lot of this information, unfortunately, is just out there as you, as you had shared.

It's compromised. It's, it's on the web, so really verifying who that person is, not just the credentials they have is, is critical and making identity reusable. This doesn't have to be hard, right? We can democratize identity. Once a person's verified, giving them the means to reuse that in many different contexts. In a given day, identity can matter five, 10 times, right? Whether you're accessing your bank info, you're opening up, for example, your, you know, employer portal as you're getting in to, to start working. We have so many moments where identity matters and making it reusable is, is absolutely key. And if you think about it in a patient context, right?

It could be accessing your patient portal account to view your labs. It could be checking into the doctor's office. It could be verifying who you are to get connected to a call center, because you do actually have to talk to someone before you get connected. Visiting a loved one. All these moments, right matter, and making it reusable is key.

And so ultimately, right, getting identity right helps you do both. It secures access without slowing down the access.

Host: Thank you, David, and thank you, Jim, both of you for joining us today on this podcast. Really sharing your tremendous expertise in a very practical way with our members and our hospitals.

For our listeners, if you would like to learn more about the AHA cybersecurity programs, please visit aha.org/cybersecurity. And a special thanks as always to our Frontline Healthcare Heroes for what you do every day to defend our networks, care for our patients, and serve for our communities. This has been an AHA Preferred Cybersecurity and Risk Providers Bringing Value Podcast brought to you by the American Hospital Association.

Stay safe, everyone.