John Riggi (Host): Hello, everyone, and thanks for joining today. I'm John Riggi, your National Advisor for Cybersecurity and Risk at the American Hospital Association. Welcome to AHA Preferred Cybersecurity and Risk Providers Bringing Value, a podcast from the American Hospital Association. Today's topic is uniting supply chain resilience in cyber preparedness.

As cyber attacks increase against supply chain and third party providers, the downstream effect on healthcare providers, hospitals, and health systems continue with significant impact. In fact, recently, Exiger CEO, Brandon Daniels, testified before the US Senate Special Committee on Aging about risk to the medical and medicine supply chain.

We'll explore a critical topic today on how a unified view of supply chain and cyber risk can empower healthcare leaders to make faster, smarter decisions, ultimately protecting patient safety and ensuring timely access to treatments. Today, I'm joined by Brendan Galla, Chief Product Officer at Exiger. Exiger is recognized as an American Hospital Association–preferred cybersecurity and risk provider. Thanks for joining the podcast today.

Brendan Galla: Great to be here. Thanks, John.

Host: Brendan, let's start off the conversation today by learning more about your professional background and what brought you to Exiger.

Brendan Galla: Thanks, John. Yeah, well, I've always been a builder. I love finding ways to make things more efficient. You know, if the 7:30 mass is 10 minutes shorter than the one with music, you'll find me at 7:30. Initially, I got into the regulatory and compliance space way back in 2004 when I brought a product to market for banks that were looking to find more efficient solutions for Patriot Act compliance.

And at first, my journey at Exiger started off down a similar path. I mean, pointed at a little bit of a different problem space, but tasked with finding ways to automate risk detection over time. I would say, you know, for me personally, that journey has shifted a little bit more to the mission, the problems that I think we point our technology at today, they're much more tangible. They're headline news, they're things that even my kids can see and feel. And so, if I can provide for my family while leaving the world in a better place, then it's a win-win.

Host: Thanks for that, Brendan. And here at the American Hospital Association, we follow the same philosophy. I'm sure you may have heard me say this and others in the Preferred Provider Program, we're about service, not just sales. And we obviously want good firms to succeed. We want our members to have available to them the best firms. Appreciate your comments about the mission.

My background, as you may know, I spent 28 years with the FBI. So, happy to be here at the American Hospital Association where we get to work with good firms like you who believe in the mission.

Brendan, let's start with the big picture, with global trade policies in flux and supply chains under pressure, tariffs, how can hospitals and healthcare providers proactively insulate themselves from these uncertainties, especially when both physical and digital supply chains are at-risk?

Brendan Galla: I think the short answer is by knowing the direct and indirect supply chain risks they're exposed to, and most importantly, how to think about their exposure to those risks. So, that may sound obvious, but putting it into practice is extremely challenging. Let me start by kind of clarifying what we mean when we talk about risks and exposure. Hospitals and healthcare providers, they're exposed to all sorts of supply chain risks from, you know, financial issues to operational issues of a supplier of medical devices to the cybersecurity or the firmware that's installed on those devices.

Now, typically, as you move up a supply chain, the direct suppliers, they may be pretty well-known and established brands where, you know, a financial risk almost could seem absurd. But I remember, you know, during the COVID-19 response where we were working with the government, we found that nearly all production of a small part of ventilators was traced back to a tiny little company in Italy that got completely shut down for an extended period of time. Mind you, at a point when ventilators were highly sought after. So, all of a sudden product capacity halted. So while it may seem unlikely that GE Healthcare who you purchased them from could experience an operational issue, the key is to recognize that GE Healthcare doesn't actually manufacture a hundred percent of the parts that go into the ventilator.

So to draw a comparison to another industry, the B-2 bomber wings were made by Boeing. Its cockpit was made by Northrop. Its bomb bays were made by LTV. That's not to mention the 4,000 other manufacturers that created other parts and components. So, you know, all that to say, it's often these downstream dependencies of these sub-tier players that can be the source of those critical disruption risks.

But now, how do you know who those players are? Or even, you know, if you don't have a direct relationship with them, how do you understand that they're going to impact you? And the second is to realize that the same risk issue on the same supplier could have completely different impacts on one hospital versus another, depending on their relationship. You know, if you look at a supplier of syringes to a hospital that might be local to them in the US that experiences a production disruption, if for one hospital, that's their only supplier, and inventory levels are sort of low, it's a major issue. They've got a huge shortage they need to react to quickly. While for another, it could be one of three suppliers, plenty of alternative options. So, it's really important to understand your relationship to those things.

So, what are hospitals to do? Fortunately, you know, the technology advancements of today have made both of these problems, the sort of visibility problem and the risk understanding problem, things that are actually feasible to navigate for hospitals and healthcare providers. When I think about arming them with critical intelligence, they're much better situated to understand the impact of an event and the options they have to remediate that issue, which might be: can we find an alternative supplier or can we go to the supplier and actually confirm this is a real issue? Remediate that issue directly with them. So, being in that proactive posture puts organizations really in control of their own destiny versus, you know, playing on their heels.

So to summarize, I think you've got transparency, visibility into the relationships that you can't see, but you actually depend on real-time monitoring of the issues that potentially impact those relationships. And you combine that with your data, what's my relationship, my inventory levels, the criticality of that supplier, you can imagine you get really good at this, then you can start to actually gameplay out different scenarios. What happens if this supplier goes away? What could I do? So, that's really how we think about helping these organizations to really insulate themselves.

Host: Thanks for that. What you highlighted is a very good description of healthcare today in terms of the interdependencies. We often talk about in healthcare how it's third party risk that provides one of the most significant sources of risk facing hospitals, both cyber supply chain. Of course, cyber attacks affecting supply chain, but it's really fourth and fifth party risk. Most organizations do not have the capability to map that out and understand.

A big and most obvious example for us, Change Healthcare attack last year, largest healthcare cyber attack in history. Change ran in the background, touched almost every hospital in the country. They had an unpatched vulnerability in a third party software they were using. And result, every hospital in the country lost access to revenue cycle, again, directly or indirectly. Prescriptions were delayed, surgeries were canceled, all because of an unpatched vulnerability and third party technology in a third party provider.

Brendan, historically, traditional supply chains and software or cyber supply chains have been managed by separate departments. Why do you think that's been the case? And what risk has this really siloed approach posed to healthcare organizations today?

Brendan Galla: The primary reason's probably expertise. I mean, most non-technical people, they equate cyber to a hooded sweatshirt-wearing misfit in a dark room that speaks a totally different language. It's intimidating, it's confusing, it's unrelatable. If you were to ask 10 procurement or supply chain professionals how they assess cyber hygiene of a supplier that they may be working with, I bet nine out of ten would sort of shrug their shoulders.

The good news is times are changing. And now, they have tools in their repertoire that give them a fighting chance to make that initial assessment that's more akin to kind of what we see in risk assessments in other industries. If you think about, you know, walking into Nordstrom's and buying a suit, and they ask you, do you want to use their credit card because they're going to give it to you for 10% discount, that person at the register is not a financial expert, but they can really quickly run your credit check and understand if there's any delinquency risk. So, it's turning into that more standardized approach and giving them an understanding, similar to what you could see in sort of the credit rating market that I think will allow people to have a tool in this fight. And I think armed with that proper diagnostic tool at least where they can understand that there might be smoke, then they can call in the experts when something might not look right.

So, this is a huge step in the right direction. The other reason is just tenure of the markets. If you ask most people, do they think of supply chain when they think about cyber or software risk, most of them don't. But the reality is something like 90% of all the world software is leveraging open source. That's a huge exposure that we present ourselves. So when you consider that software is really a collection of these parts that come together to form one bigger product, it's just a digital representation of the same issue we face on the physical side of the house. So under the hood, it actually looks the same, and I don't think the markets have really caught up in terms of the cyber side of the house.

So, the risks are really that the software and firmware is in almost everything we use today. I mean, I use the RayBan sunglasses, there's firmware running on those, you know. So, the world of physical goods and digital goods are intertwined more than we've ever seen before, and it's only getting more intertwined. So, separating these worlds means that you can get conflicting information. You know, the group handling the cyber side may say, "Hey, we're good." The group handling the other side may say no or vice versa. Or worse, you get a synergy between the two that you lose out on when you keep them separate. So, our belief is really that, you know, a centralized view to both worlds puts an organization on the most solid footing to protect themselves.

So when I think about kind of what are practical things you could do, I mean, some of the things we've seen in our own work. Build software vulnerability management requirements into your contracts require an SBOM. You know, make sure you're monitoring across both of those worlds and bringing the experts in where some of those signals arise.

And I think one thing that people don't often talk about, make your primary suppliers and distributors part of the solution, not part of the problem. You know, let them know you need their support on transparency into these relationships, on access to certain data that allows you to do a proper understanding of risk and on remediating an issue if you find it. Too often we hear kind of the refrain of, "Well, we don't want to bother them." But if the industry as a whole starts holding each other accountable, I really think we can lift all boats.

Host: So much great information there, Brendan. To just summarize some really key points, and quite frankly, I was amazed to hear you say 90% of software is open source. And I thought even Microsoft obviously uses open source and they build upon that.

I don't know if you remember a couple years back to highlight the vulnerability and widely used open source software Log4j. So, this was a vulnerability. It's almost in every device, every software that has logging capabilities-- major vulnerability and caused right around a Christmas couple years ago-- I remember all CISOs around the country and every industry scrambling root out where's Log4j in their networks and patch it quickly. Great point too about working with your suppliers. Nobody knows their products better than them. Insights you will not gain from a questionnaire sent to you as part of your third party risk management program.

And then, ultimately, great point about ensuring your organizational structure, third party supply chain folks, and third party risk, supply chain and cyber. The structure is designed in a way that mirrors the actual environment, the world, right? We shouldn't be operating in silos. Third parties use open source software. There's that collaboration and communication. Internally, we have to do the same structural organizations.

Can you share some real-world examples of vulnerabilities that we just kind of talked about and some others in software components, whether in IT systems or embedded technologies and the kind of disruptions or patient safety concerns they can lead to?

Brendan Galla: First, I mean, we've mentioned open source and you just mentioned Log4j. First, I would say, just so people are clear, most organizations today use software that contains open source. So, what does that actually mean? So, Exiger, we write an application, that's our code. But the way code is compiled today, it's got a bunch of different open source components that get built-in there.

Now, other people write that open source component. It gets shared as a community. So if you had something as simple as, "I'm on a web application and I want to create a PDF," usually you won't write that code from scratch because it's already been tried, true, tested, and you can just grab it and pull it in and it becomes a piece of your sort of software. So, what that actually means is the stuff we're using in our everyday lives often has some connection to code that is owned and maintained by perhaps a single person or, most importantly, a group that has no idea how it's being used downstream. Just think about the applications of a create PDF that could be used in critical infrastructure systems to an app on your phone. There's not a good understanding of how all these things trace back together, and it can take just one, you know, poor contribution, whether that's innocent or intentional, that gets merged into a production environment and can cause a whole host of these downstream problems. And this day and age, that's further complicated by compatibility between new and old dependencies in terms of how we think about cloud, it gets quite complex to trace.

So, just piggybacking on your Log4j comment, that was an open source library. What happened there was it opened up access wherever this was installed to nefarious actors who really could gain access to these servers remotely, which means they could take control of a system, they could steal your data, introduce malware.

And to your point, a majority of organizations had no idea whether they were running this as part of it. And I remember, like you said, it was this massive scramble. We helped organizations to understand where does this sit in software that you might be using. Then, there's also, you know, a number of known cases where on firmware effectively it allows hackers to control that device remotely. So, you think about something like a pacemaker or an insulin pump. There's been cases where you can gain access to the settings on those. You could change the dosage amounts, you could change the pacing. These can present real dangers to patients.

And, you know, more recently this year, we had the warning from CISA and FDA around contact for the patient monitors where they could be controlled remotely, which could provide misinformation to practitioners. And I would say, while some of these threats seem like they're unlikely or even embellished, we find ourselves in interesting times. You mentioned it in your opening remarks, but this week our CEO testified in front of the Senate about how the US can be controlled really by China due to our incredible dependencies on them for prescription drugs.

And, you know, given the rhetoric between nations and what's going on, I don't think many people would think it's some far off risk if they could cut off those supply lines. Well, it's the same thing here. This is just another threat vector that could be exposed. So while it may have at one point seemed like nobody's ever going to do that, these are things that are possible now and things that we have to make sure we're taking serious.

Host: Thanks, Brendan. And you're absolutely right. Our dependency on China for variety of economic products and services has created risk. Reality is China's an adversary nation, and they want to be the dominant superpower by-- it's in their a hundred year plan by 2049, not necessarily militarily, but certainly economically.

And to your comments about device medical devices, yes, it's definitely a risk. We haven't actually seen a case where bad actors got in and manipulated the function of a medical device to cause harm. However, what we have seen is, of course, the bad guys get in and deny the availability of a medical device, which causes delay and disruption of healthcare delivery, ultimately posing the same risk to patient safety.

But on a broad scale, your example about the-- I believe it is the contact CMS 8,000 monitor came with a special feature that nobody was aware of, backdoor transmitting data to Shanghai, China. It was particular university as I recall, again, leading that pathway. Why are we so concerned about it? You touched on it, Brendan. China has been publicly called out by the US government for planting not only malware for espionage purpose, but for destructive purposes on our critical infrastructure, telecommunications, energy, water, and wastewater if in fact, when or if they invade Taiwan to blunt a US response. That's from the US government, not from John Riggi. It is a reality. Looking ahead, what are the strategic advantages of bringing supply chain transparency, both physical and digital under one roof? And how can AI and advanced analytics help streamline how all supply chains are measured, monitored, and managed?

Brendan Galla: I can't understate enough the importance of a single pane of glass. One, it provides a consolidated view across functions and risk owners that are most likely undistributed teams. Today, that information is often housed in a number of different systems, so you find people, swivel chairing into different systems. There might be data inconsistencies between those systems. It creates a lot of inefficiencies, opens the door to human error, and really poor decision-making.

And I think the second benefit of that single pane of glass is that, today, if we're viewing kind of these different concepts through different user experiences, it can lead to different opinions. Whereas if you've got one common, you know, set of diagnostic tools for assessing risk, you actually increase the number of eyes and therefore the chance that you're going to catch something that might be an issue, even if it's somebody who doesn't understand that issue, right? If it's a red, yellow, green scale, and I'm looking at that, it doesn't matter if I'm not a trained CISO. I can see that red's something I should do something about. So, leveraging that consistent user experience and centralizing that view, it just makes all of that that much more robust in terms of an operational process.

I also believe that we can take advantage of some of the network effects. And what I mean by that is I find that industries too often get hung up on competing on what I think are the wrong things, when in fact if they work together on some of the staples, you know, think about like a cell phone signal or something like that. It would actually allow them to focus on the features that actually differentiate them and make them more valuable and intriguing to a customer, right? The network benefit here, in my view, is if we pull in an organization, a hospital, and they're putting in information on digital and physical supply chains, we're illuminating that for them, or even risk assessing that for them. And the next hospital comes in and they do the same, and the next one comes in and they do the same. All of a sudden you start to build this huge pool of data. And then, you bring in the suppliers and distributors to that world as well. Now, you're getting this massively rich data set that is highly accurate and highly usable for these organizations. And I think that virtuous relationship that that we could create out of that ultimately benefits the American people, right?

That's one of the areas where I really think we've got an opportunity to make sure we're collaborating to do a better job as an industry. From an AI perspective, the biggest advantages are quality of data and scale. The things we're able to do now with little input or, in some cases, expertise is fascinating. You think about this prior to recent advancements in AI, I would need an in-house expert to explain to me the end-to-end process and all the component parts that go into the production of a medical device or a vaccine. And if I was fortunate enough to have them on staff, it would still take me months and months to actually produce this and then keep it maintained from a documentation process. Now, we can start with as little as a product name or a part number. And models can go out and create a pretty representative supply chain in minutes.

And so, I'm not saying it's perfect yet, but the pace of innovation and the art of possible that we're seeing is so encouraging. This is just one use case. You apply those AI technologies to comprehensive and broad risk detection, to data creation, to automation of workflows. I really feel like we're going to look back in five years and feel like we've seen 50 years of innovation. It's very exciting times with what we can do.

Host: Thanks, Brendan. Definitely exciting. Perhaps a little cautionary as well as we proceed. But to your point, I see analogy in similarities when I was in government. To understand risks, you must have the data. You must have a collection of data, centralization of data, translation of data, and then ultimately centralization of the expertise to analyze the data and understand the risk across, you know, multiple disciplines. So, really great points.

Brendan, before we wrap up, what's one key takeaway you'd offer healthcare executives looking to strengthen their organizations resilience across both supply chain in the cyber domains?

Brendan Galla: Be proactive. I learned a long time ago, it's better to floss every day than to try to brush like crazy the night before a dentist visit. So, you know, take advantage of the tooling that's available on the market. It doesn't just help in a time of crisis. It helps optimize and sustain a healthy business during good times as well. So, don't wait for that crisis. For healthcare providers and hospitals, the cost of complacency, in my view, is too high and it's not worth the risk. So, be proactive, prioritize the investment, and I think you'll sleep better at night knowing you've put the people that depend on you inside and outside of your organization in a safer place.

Host: Thank you, Brendan. Thanks for joining the podcast today, and thanks for all that you're personally doing and all that Exiger is doing to help defend healthcare, our patients in the communities we serve.

For our listeners, if you'd like to learn more about the AHA Cybersecurity Programs, please visit aha.org/cybersecurity. And again, special thanks to our frontline healthcare heroes for what you do every day to defend our networks, care for our patients, and serve our communities. This has been an AHA preferred Cybersecurity and Risk Providers Bringing Value podcast, brought to you by the American Hospital Association. This is John Riggi. Stay safe everyone.