Security Nation, Episode 6

Digitizing Cybersecurity in Healthcare with Richard Kaufmann

September 13, 2019

 

In this episode of Security Nation, Richard Kaufmann discusses what it took to drive digital transformation and improve security approches at Amedisys, a home health, hospice, and personal care provider. He dives into what inspired him to join Amedisys and help further their mission, why security works best when it's not seen, tactics he's learned to help empower other members on his team, and what his favorite dinosaur hacker movie is.

In our Rapid Rundown segment, you'll also hear Tod and Jen run through the biggest security news of the week, including our continued BlueKeep watch and the security implications of phone number-based security measures. 

We publish new podcast episodes every two weeks, so stay tuned for future episodes, and if you like what you hear, please subscribe below! Our next podcast will be released on Friday, Sept. 27. 

Appears on This Episode

Jen Ellis
Jen Ellis
Vice President, Community and Public Affairs

Jen Ellis is the vice president of community and public affairs at Rapid7. Jen’s primary focus is on creating positive social change to advance security for all. She believes that it is critical to build productive collaboration between those in the security community and those operating outside it, and to this end, she works extensively with security researchers, technology providers, operators, and influencers, and various government entities to help them understand and address cybersecurity challenges. She believes effective collaboration is our only path forward to reducing cyber attacks and protecting consumers and businesses. She has testified before Congress and spoken at a number of security industry events including SXSW, RSA, Derbycon, Shmoocon, SOURCE, UNITED, and various BSides.

Tod Beardsley
Tod Beardsley
Research Director, Rapid7

Tod Beardsley is the director of research at Rapid7. He has over 20 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT Ops and IT Security positions in large organizations such as 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Today, Tod directs the myriad security research programs and initiatives at Rapid7. He can be uniquely identified at https://keybase.io/todb.

Richard Kaufmann
Richard Kaufmann
Information Security Officer, Amedisys

It is now safe to turn off your computer.  For most of us, this simple message in the late 90’s was a reminder that the operating system processes had stopped and that the circuits carrying all of the ‘1’s and ‘0’s were ready to be powered off.  For me, it was my first foothold into the information security arena.  Starting at defacing that iconic .JPEG and advancing into running information security teams across finance, healthcare, and manufacturing organizations, I’ve tried to remove a little bit of entropy in the world through a passion of simple solutions to complex complications.

A problem well defined is a problem half solved.  In an environment where threat landscapes, frameworks, and shareholder value are constantly evolving, being able to fall back to the fundamentals of logic and computing have become a rare commodity.  I like to work with those who have a similar appetite for challenging the norms and thinking creatively. Typically, these symptoms present themselves as charts, graphs, and bad jokes in presentations into the board rooms and conference calls of organizations seeking transformation.

My daughter is my biggest fan, I enjoy long walks with heavy backpacks, and that inner voice inside my head sounds just like David Goggins.

About the Security Nation Podcast

Security Nation is a podcast dedicated to celebrating the champions in the cybersecurity community who are advancing security in their own ways. We also cover the biggest events in security that you should know about. In each episode, host Jen Ellis (@infosecjen) sits down with a guest so they can share their stories, what worked, what didn’t, and what you can learn from their initiative so maybe we can inspire you to do something new, while Tod Beardsley breaks down the biggest security headlines of the week. 


View all Security Nation episodes

Podcast Transcript

Jen Ellis: Hi, and welcome to another thrilling installment of Security Nation, the podcast where we talk to people who are tackling challenges to help advance security in some way. I'm your host, Jen Ellis. I'm Rapid7's VP of Community and Public Affairs, and with me as ever is my amazing copilot, Mr. Tod Beardsley. Hey Tod. How are you doing?

Show more Show less

Tod Beardsley: Ahoy ahoy, I am doing great.

Jen Ellis: Tod, this is the first one of these things I recorded not in Rapid7's headquarters, and in fact I am sitting in the U.K. where it is pouring with rain, as if that wasn't a cliche. How's Austin? Is it incredibly hot?

Tod Beardsley: It is ridiculously hot. I did not leave the house at all this weekend. Too hot to leave. It's like living on the surface of Mercury.

Jen Ellis: I'm glad we're all living up to our cliches. All right, great. So before we get into this week's exciting interview, I think that you're going to take me through what's hot in the news, right, in a Rapid Rundown? I feel like we should have sound effects for Rapid Rundown.

Tod Beardsley: Rapid Rundown!

Jen Ellis: Oh wow. That was golden.

Tod Beardsley: You like that one?

Jen Ellis: Let's keep that forever.

Tod Beardsley: Cut, print, forever. All right, so I think the biggest news lately was the Facebook leak of about 419 million phone numbers that are also incidentally linked with Facebook user IDs. There is a fairly significant privacy component to this, and that is a component that we won't really be talking about too much in this Rapid Rundown because mainly we focus more on security than privacy. But the problem here that a lot of security people are talking about is once these phone numbers are both linked with a Facebook ID, which then can go to a person's name and email address and all that jazz, it gets a lot easier to conduct a SIM-swapping attack. And if you don't know what a SIM-swapping attack is...

Jen Ellis: Which I don't.

Tod Beardsley: Well, I will tell you, and I will give you resources to learn more. But basically, what a SIM-swapping attack is, is when an attacker convinces your phone carrier to port your number to a SIM card that they control in their phone. So basically, they start getting all your texts and phone calls. This is a problem when we deal with phone numbers and cell phones in particular as security tokens. We treat them as kind of secret, sort of, as a way to establish identity, which is not really what phone numbers are really good for.

Tod Beardsley: And so I think it becomes obvious, right? If I have a password reset procedure that says, "Okay, well, I'm going to text you a special code and then type that in and then you get to change your password," well, the bad guy controls your phone number, this all falls apart. And then I guess the tragedy of all of it is that it doesn't super matter what you do as a user security-wise. You can keep your phone number super-secret, but then as soon as it's revealed, then an attacker can already know your phone number. You don't really get to change your phone number. Nobody chooses their phone number anymore since 2004 when phone numbers became portable. This is why everyone has area codes that don't often have anything to do with where they live. So that's essentially the problem here, right, is that when your phone number is an identity token and you can't change it and you cannot secure it, bad things happen.

Jen Ellis: Yeah. Okay. So that was a lot. That was a mouthful. Thank you.

Tod Beardsley: And let me just throw out, if you want to know more about this, "Reply All," which is a wonderful podcast that you should listen to right after this one, episode #130, "The Snapchat Thief," goes into this in great detail of how SIM-swapping actually happens. So check that out.

Jen Ellis: Well, I like this. I like this encouraging people to listen to all the podcasts. Nice.

Tod Beardsley: Right after this one.

Jen Ellis: Right, right. Obviously. Yep. Yep. Okay, cool. So firstly, these attackers, they are some cheeky people. So it sounds like there's not really much that people can do to protect themselves from this.

Tod Beardsley: Well, so the standard advice is, stop using your real phone number for this sort of identity verification thing for texts, for SMS-based, two-factor authentication, for anything like that, for this kind of security control.

Jen Ellis: That would limit the harm, but it wouldn't actually protect you from the attack, right?

Tod Beardsley: Well, it helps because ... So when I say stop using a real phone number, I mean start using a different phone number. So what a lot of people use is Google Voice. There's a couple of other providers out there, but Google Voice is probably the most known and popular one where you can get a phone number and link it to an email address and start using that as the thing that you get your texts or resetting passwords on. It's very similar to how password management is kind of a giant hassle to set up initially, but then once you do it, it's done and you don't really have to worry about it anymore.

Tod Beardsley: Having an alternate phone number just for this security stuff is a way to avoid ... because a Google Voice phone number cannot be SIM-swapped. That is an important thing, because it's not T-Mobile, it's not AT&T, it's not on a "real carrier." Yeah, it's not a cell phone number. And so that protects you from the SIM-swap attack in itself. But as far as obviously the privacy concerns of having your phone number out in the world, I don't know. I mean, people don't really treat their phone numbers is very secret except for when they do, so it's in a weird kind of nebulous privacy zone. But yeah, protecting yourself from a SIM-swapping attack does kind of necessarily mean that you have a phone number that you don't tell people, but you do tell security providers. It's not great, right?

Jen Ellis: Yeah. I mean, you can see where consumers have a real sort of eye-roll over the security thing.

Tod Beardsley: It's a huge eye-roll. I am rolling my eyes right now thinking about how awful this is.

Jen Ellis: It's exhausting for them. I can totally get it. And at the same time, I'm guessing that we're also saying, "But hey, kids, still, two-factor authentication is still important even if it's text-based." So we're kind of giving mixed signals here, people.

Tod Beardsley: Text-based 2FA is marginally better than nothing. Much better are like a token or something called TOTP where it's an app that runs on your phone or whatever.

Jen Ellis: Sure, but your average consumer isn't getting offered that in most cases, right? Unless it's to the bank or their workplace.

Tod Beardsley: Well, it's kind of wild west. I know there are plenty of banks that do text-based 2FA.

Jen Ellis: Yeah. Well, let's not get into a conversation about how behind the U.S. is on internet banking. Okay. So...

Tod Beardsley: So SIM-swapping, don't do it.

Jen Ellis: No SIM-swapping. Use Google Voice for your phone.

Tod Beardsley: Yep.

Jen Ellis: So what else is happening in the world? Anything else we should cover?

Tod Beardsley: So this podcast is also BlueKeep Watch, like the official BlueKeep Watch podcast. And so just as an update in that whole thing, so BlueKeep is the RDP-based exploit. It's CVE-2019-07-08.

Jen Ellis: You're so proud of knowing that.

Tod Beardsley: I know. It's the only one I know. And it was an RDP bug. It was announced by Microsoft back in May with a patch. We've had a few months to patch it, and as of now, there is a Metasploit module lurking in the pull queue on GitHub, so it is technically public. It's not released as part of Metasploit, which has been widely reported. That is not true, but it has been published in the form of a pull request, which is a working proof-of-concept exploit for BlueKeep. So this is significant because it's the first one-ish that has been public-ish. Go take a look at the pull request, and you will find out that it is not terribly stable yet, but it does work in a lab environment, but there have been ... Let's see ... It's been three days since it's been out there and there are 146 comments. Most of them are, "I can't get it to work."

Jen Ellis: Nonetheless, the point is that if you work on an assumption that the Metasploit framework is a your-security-program-must-be-this-high-to-ride kind of a thing, that it's the baseline of what your security program needs to be able to protect against, then the point here is if you have not patched, then you need to patch as quickly as possible. That's really what we're getting at with this one, right?

Tod Beardsley: And you have to know what there is to patch, so it's kind of a two-prong. This is what vulnerability management is all about. It is asset management and patch management. So you have to know that you have RDP exposed somewhere. It could be internal or external. Find those endpoints, patch those endpoints, or turn them off. Maybe you don't need RDP anymore. A lot of times we'll set up RDP once and then forget about it. So yeah, so we are marching along the path of exploitation technology is catching up with this vulnerability. So I think that we're in an okay position. I am happy that we're able to adequately test defenses now that we have this kind of sort of working Metasploit module. Once that lands, it'll get a lot easier to test things because it will work on more targets. Right now we're on three targets and you have a really good shot of blue-screening yourself, so not great for a worm, obviously. Worms shouldn't be crashing things, because if they do, it's just like viruses that kill you too fast.

Jen Ellis: Right, yeah, so there's not much mystique about whether or not you got hit. You're like, "Definitely something's up."

Tod Beardsley: But if you'd like to help, we're always looking for community help. It is pull request number 12283.

Jen Ellis: Cool. Well, okay, thank you. And is there anything else that you wanted to tell us about or-

Tod Beardsley: That's it.

Jen Ellis: That's it. We have rapidly run down. Perfect. I certainly feel run down.

Tod Beardsley: Patch your RDP and change your SMS-based authentication to a non-cell phone carrier phone number.

Jen Ellis: Or alternatively, consider moving into a charming cave and abandoning all technology. Either is good. Probably won't be listening to podcasts if you go for the latter.

Tod Beardsley: Probably not.

Jen Ellis: All right, thanks, Tod! That was great. Let's welcome this week's special guest. So for this episode, Tod and I are joined by Richard Kaufmann, who is the information security officer at Amedisys, a national provider of home health, hospice, and personal care. Richard is celebrating his one-year anniversary of being at Amedisys tomorrow. I'm hoping there's cake, and I'm hoping that we'll be invited around for some. But as yet, I've heard nothing so we'll see what happens. Richard, welcome, thank you for joining us, we really appreciate it.

Richard Kaufmann: Thank you for having me.

Jen Ellis: Before we get into the project that you're going to talk to us about, let's find out a little more about you. What I love is that you sent us over a bio so that we can find out a bit more about you, and the last lines of your bio are, “My daughter is my biggest fan, I enjoy long walks with heavy backpacks, and the inner voice inside my head sounds just like David Goggins.” Which, made me chuckle no end.

Richard Kaufmann: It's really accurate. To be fair, my daughter's only three, so her list of people to be a fan of is pretty short. I'm glad to see that I'm on the top of that list.

Jen Ellis: I feel like, somehow it's so much better when they're that age, because they're just so much happier about showing it as well.

Richard Kaufmann: Completely agree.

Jen Ellis: That's a great age. I liked your, “I enjoy long walks with heavy backpacks.” It did make me wonder what your cybersecurity dating profile would look like.

Richard Kaufmann: That's right. It's unsuccessful, mostly. I always like to lead it off with, “Hacker, father, questionable decision enthusiast.” I think that accurately describes everything about me.

Jen Ellis: I like it, that's pretty good. Anything else that would be in your profile?

Richard Kaufmann: Just a bunch of terrible headshots.

Jen Ellis: Is there such a thing as a good headshot?

Richard Kaufmann: That's right.

Jen Ellis: Not in the corporate world. This is a question I like to ask people, what is your secret superpower? As we've discussed before, mine is the ability to harness awkwardness and make any situation more awkward.

Richard Kaufmann: Yeah, I think mine would go back to just complete mediocrity. I'm that superhero that is just okay at a bunch of different stuff.

Jen Ellis: I think that's kind of great. Someone who feels like they're not really okay at anything, I would take that. Mediocrity sounds great right now.

Richard Kaufmann: You need a big data exercise and be like, wow, there's this guy who's placing in the middle of the pack in all the things.

Jen Ellis: I like that you've managed to weave big data into this, well played. Tod, have you ever answered this question, or do you always evade it?

Tod Beardsley: My power is evading questions like this.

Jen Ellis: To not answer questions you don't want to answer? Oh, trust me, I'm aware.

Jen Ellis: If you were doing this, by this I mean, your job, not this podcast, because why wouldn't you want to do this, what would you be doing?

Richard Kaufmann: That's a great question. Up until I was 15 years old, I actually wanted to be a paleontologist, which, I know that there's a very natural progression between paleontology and cybersecurity.

Jen Ellis: Of course.

Richard Kaufmann: I was in high school then, getting ready for planning the rest of my life at college. I met with my guidance counselor and I was like, “Hey, I want to be a paleontologist.” Then I found out how much paleontologists made, not to disrespect all the paleontologists listening...

Jen Ellis: So many paleontologists listen to this podcast.

Tod Beardsley: Well now that we said the word like, five times, it's going to shoot to the top of recommended podcasts.

Richard Kaufmann: It's one of my favorite slides to put up around budgeting season, to marry those two worlds, because "Jurassic Park" was not a story about dinosaurs, right?

Tod Beardsley: Nope.

Richard Kaufmann: It's a story about what happens when you pay your IT employees too little.

Jen Ellis: I like it, I like that point of view. I also appreciate, recently I've been in discussions where we've been talking about all the films you could consider hacker films, that aren't really hacker films.

Richard Kaufmann: "Jurassic Park," top of the list.

Jen Ellis: Right.

Tod Beardsley: Absolutely.

Jen Ellis: I like this, I endorse this message. Okay. Good. This is not why you've joined us, even though I feel like we could actually quite happily talk nonsense all afternoon. The reason you came on was to talk about Amedisys Right Care. This is a project that you guys have been involved in. Can you tell us a little about what the project is, what it entails?

Richard Kaufmann: Yeah absolutely. So Amedisys Right Care is kind of a philosophy that our CEO, Paul Kusserow, has done just a fantastic job of ushering in over the past couple of years. At the core of Amedisys Right Care, it's about providing the right type of care at the right place, at the right time in order to improve the quality of life for our patients and clients. We talk a lot in the hospice, home health, and personal care industry about aging in place, that's kind of a very simplistic view on an extremely complex problem. I think at the core of that, no one likes to go to hospitals. Right? Hospitals are cold, the beds aren't comfortable. You lose a piece of yourself when you go into a hospital. Right? What we want to be able to do is empower our patients to remain in their home and set goals for their own care, which we believe provides that better quality of life at the end of it.

Richard Kaufmann: That's like that strategic vision at the CEO level. How we start breaking that down tactically, and the impact that has on technology. Technology plays a big part of that, right? IoT, networks inside of homes. It gets really complex very, very quickly. We started about a year, year and a half ago with this concept of our own digital transformation project, which lots of companies are doing digital transformation these days. What I think makes Amedisys different is, our CIO, Mike North, had this great idea of taking a more holistic approach into the capabilities that IT offers. At the core of that is information security. We understand that patient privacy and protecting our most vulnerable people was integral into this Right Care philosophy. We've been establishing the security team, we've been very strong. Ever since I came on board a year ago, we've kind of been bolstering those defenses and capabilities to support the mission of improving the quality of life for our patients.

Jen Ellis: Awesome, it sounds like you've got some pretty lofty goals there, when talking about improving quality of life for patients and trying to give people the opportunity to receive healthcare in their home, and to do so securely, is great. Can you tell us a little more about the substance and detail of what you've been doing from the cybersecurity point of view?

Richard Kaufmann: Yeah, absolutely. We break down, I call it an asymmetric security posture. That's just, kind of head nod to the fact that a lot of adversaries in this space can invest very little time, very little resources, and have just a detrimental impact on an organization. We see it on the large-scale breaches, and I'm sure we'll talk about that later on. It is one of those things where we invest a lot of time and money in resources into protecting those patients' data. We just want to make sure we're getting the right return on investment at the end of the day.

Richard Kaufmann: When I stepped into the role a year ago, regardless of the cake situation, I kind of focus on data, data is why I'm here. Basic data is incredibly, I think, valuable to adversaries these days, at least when you see them acting in that space. Fundamentally, what do you need in order to access that data? You need a username and a password. So, an identity. You need some sort of device, whether that's a tablet, mobile, laptop, server, you name it. You also need some sort of connectivity, so, a network. Those are the three areas that we've been focusing on over the past year. Identity defense, device defense, and network defense. However, when you break it down into those triangular approaches, all of a sudden that elephant, how do you eat that elephant, whose single bite-size, kind of tactical wins become much more, I think, easier to realize.

Jen Ellis: I'm still dwelling on eating elephants but, okay. Letters start pouring in from vegans across the world. Who also, them and the paleontologists go crazy for this podcast.

Richard Kaufmann: I'm sorry.

Jen Ellis: That sounds like a very pragmatic approach, I like it.

Richard Kaufmann: Yeah, maybe we add that to the superpowers list. Mediocre pragmatist.

Jen Ellis: I feel like pragmatism does come off as mediocre, but in actual fact, it is a superpower. It generally is a better path forward to effectiveness, so, yay to pragmatism!

Richard Kaufmann: It's so interesting, as I was sitting there talking with the team that was interviewing me and they're like, “Tell us your approach for vulnerability management.” I was like, “Sure thing, no problem, I'd be happy to jump into it for you, but before I do, tell me more about your ITIL-based approach to configuration management.” You kind of get the blank stares and it's like, guys, let me save you some time and money. You have vulnerabilities.

Jen Ellis: Right.

Richard Kaufmann: We've got to develop a patch and play, it's not just about identifying them, it's about what you do with them afterwards.

Jen Ellis: Then they were like, we'd like to offer you a job.

Richard Kaufmann: That's right.

Jen Ellis: And a year later, we're waiting for cake.

Richard Kaufmann: They're like, what's your favorite dinosaur hacker movie?

Jen Ellis: Funny you should ask! How did you get going with this, what were the things that you did to implement in your three bite-size elephant areas?

Richard Kaufmann: Yeah, actually. So, for me, the first thing you do is sit down, and do that assessment of the operating area. What will be the quickest wins? We found some quick wins with vulnerability management with parts that our SIEM had some opportunities for improvement, We gained a lot of visibility, and Rapid7 played a big part in providing that visibility into our organization. Then we kind of grew it from there.

Jen Ellis: Oh my god, it's so great, we didn't even pay you to say that. Thanks!

Richard Kaufmann: And kind of that implementation of some of the Rapid7 products and a few of the others we brought in. It's easy to forget sometimes that we're still a business. If you get too heads-down in the security focus, you start losing that line of sight to the quality of care to our patients. That's one thing that, even within the first couple of months here, I start correcting. So, it's kind of like, “Hey guys, we're getting a little too focused in our own world, let's make sure that the decisions that we're making have the right impact to our organization and ultimately to our patients and clients.”

Jen Ellis: I love that, I love the push to make it relevant and to keep your eyes on the real goal and what's really at stake. I think it's so easy, as you said, to lose sight of those pieces when you get into the detail work and to become a bit myopic.

Richard Kaufmann: Yeah, that's one of the things that actually brought me to Amedisys. I have a bit of a personal connection to our mission. It started for me, about six years ago here in Baton Rouge, I obviously wasn't working for Amedisys yet, but I was working in healthcare and I was furniture shopping. I bought my first house and it was time to move on past all this college furniture I've been schlepping around for the past three years.

Richard Kaufmann: I was furniture shopping and, my phone called. It was my dad. My dad had called me, and we have one of those relationships where, we don't talk all the time. Every two weeks, every other week, we touch base, hey, how ya doing, things are good. I'll see ya, when I see ya. I talked to him, you could tell something was wrong, so I walked out the store, had a discussion with him. He had been diagnosed with colon cancer, and I was like, okay talk to me about the steps again. This pragmatic approach that I have on things, tell me about the process, tell me about the steps. He started explaining it to me. I was like, okay, no big deal. I went home like everyone does and they do their research. I found, he's going to be just fine. No big deal. There was seven days that passed between when he called me and his procedure. He had polyps, so they had to remove the polyps and then he'd be good to go, go home. The seven days passed, they opened him up, come to find out, he had cancer everywhere. It wasn't just in his colon, but that he had it throughout his entire body.

Jen Ellis: Oh, I'm so sorry.

Richard Kaufmann: Yeah, and not to get too heavy and deep on this Monday-morning taping of the podcast, but that's what it was. That conversation I had with him on Friday, that was the last conversation we had while he was lucid. He just went down this spiral after his procedure. He went very, very quickly. The thing that was so interesting to me about it, 23 days later he passed away. We all had our chance to say goodbye and it was sweet, but the thing that stuck with me about the entire situation was, we all had our chances to say our goodbyes. I was in a different city, my siblings were in different cities. At the time he passed, his wife was in another room, and the person that was with him was his hospice nurse, and obviously, I'm talking about it with you guys on a podcast seven years later. That's a pretty critical moment in anybody's life, when they lose a loved one.

Jen Ellis: Yep.

Richard Kaufmann: One of the things that sticks with me is that hospice nurse? That was a Thursday for that person. That's just a weekday, that's their job.

Jen Ellis: Yeah.

Richard Kaufmann: I take a lot of pride in the fact that, the security posture that my team implements has a direct impact on the quality of that person's life.

Tod Beardsley: Sure.

Jen Ellis: Yeah.

Richard Kaufmann: I've worked in a lot of healthcare organizations where things are a little strict on the security side of the house.  

Tod Beardsley: Right.

Richard Kaufmann: I would just hate it if that person had that experience, went home, and wanted to do something as simple as send an email or connect with one of their peers, or even just write up their notes so they can start fresh a new day. And they weren't able to because of a security control.

Jen Ellis: Right.

Richard Kaufmann: We all know that security works best when it's not seen, it just works. Just like technology in general. That's one of the things that as we've been performing this work over the past year, my team doesn't lose sight of on a daily basis cause I've certainly have been a reminder to make them feel like they are.

Jen Ellis: Wow, Richard, thank you for sharing that. That's really humbling, I think, and a moving story. When you find a thing that becomes your calling, your mission, you feel personally connected to what you're doing, it is super empowering but also, it can be that much more stressful, because you care about it so much more.

Tod Beardsley: Yeah.

Richard Kaufmann: I think that's one of the things that differentiates Amedisys from the rest of the group. We run a very lean ship in IT and across the organization. But the people who are here, they care tremendously. And none of us are trying to just do the status quo, we're making things better in whatever wins that we get.

Jen Ellis: Then, you're lucky because, having a chance to work with people who all really feel personally about a mission is a really amazing thing. I feel very fortunate that I get that at Rapid7. I'm always mindful of the fact that not everybody has that where they work, so it sounds like you do. This is pretty sad that you had to get there in a not so lucky way.

Richard Kaufmann: That's the thing, everybody's experiences in life kind of shape them. If I hadn't had that experience, then who knows how I would've approached this. It probably wouldn't have been the most correct approach for our patients, but again, at the end of the day, that's what's important.

Jen Ellis: I feel very sort of humbled and inspired by you, Richard, honestly. This is supposed to be a funny podcast, dammit! I am not being funny right now.

Richard Kaufmann: We can switch gears and go back to the point.

Jen Ellis: I don't know, Tod, do you have anything you want to ask?

Tod Beardsley: I kind of do. Just to maybe bring it to a little more specific on security stuff, I know in medical tech in general, one of the biggest problems that they have, aside from patch management, is what you say, this credential issue. Usernames and passwords for things, and when you're dealing with a medical issue, especially emergencies, you don't want to be screwing around with logging into stuff. This is usually why like, med-tech tends to have kind of a bad reputation when it comes to authentication and encryption, because when that fails, you don't get to do the thing, which may be a life-saving or life-improving kind of procedure at the moment. I'm kind of curious, have you ever run into a situation where you have some thing like, med-tech IoT-like thing that is lacking any sort of reasonable credentialing and how you approach that and how you're enabling someone to do their job, but also at least wrapping security around it? Do you have anything that you can talk to...?

Richard Kaufmann: Yeah. I love that question. You're right, there's lots of opportunities in this space. We've been recently going through an entire modernization around how we manage identities and our entire workforce here at Amedisys, quite frankly. It's really interesting, because as we sift through, I'm fortunate, I have the risk management function under my purview as well, which makes things super easy. One of the things that I think we tend to lose sight of is, when we see a gap, it's easy to point out the gap but, it's really difficult to point out all the compensating controls that probably reduce that risk to a more acceptable level. I'm not saying that you don't do anything about it, I'm just saying that, at the end of the day, defense-in-depth as a concept over the past two years has been wonderful. We just have to understand that, okay, you're right, if I have a gap on the authentication into this one thing during this specific scenario, now I have a more of a reliance on my other controls in that time frame than I do otherwise.

Richard Kaufmann: That's one of the things we're always kind of working on, just because there's a gap doesn't mean we're not doing anything about it, we just need to do a better job about documenting all of those other things that are being done in this space and this is where I think of kind of getting into the market, like the AI opportunity. When we get into things like automation and all of that good stuff, that's where I see a lot of that playing is, under these specific events, if this doesn't occur, go do these other things. That's kind of what we're doing right now, we're just in its infancy, to be honest with you.

Jen Ellis: So, one of the things we sort of ask, because people talk about projects is, how's everything going? What's working and what's not? It sounds like a lot of stuff is working, that you've figured out how to make progress and make it practical. What are some challenges you've faced since going through all this?

Richard Kaufmann: Yeah, I tell you what. The first vendor that comes in here and figures out how to sell me 12 more hours in the day, sign me up for the three-year deal on that one.

Jen Ellis: Can I interest you in perhaps some cloning instead?

Richard Kaufmann: That would be perfect. I think for opportunities that's the thing that's hard for us. It really does come down to where do I put my people, where do I put my money, to have the largest impact, the greatest success in improving patient quality of care. We are in a highly regulated industry and that certainly adds its own layer of complexity so as you kind of have your three-year plan, you don't always know what the next regulation is going to come in and do, and we're in a little of that situation right now, where there's new regulations on the horizon. We're figuring out how to pivot, what do we work on, what is truly the priority vs. what can wait a few months. I mean in my role, it's really more about just aligning the resources and the technology to the problems.

Jen Ellis: So, what would you, with all that in mind, what would your piece of advice be to someone who wanted to tackle a transformation project?

Richard Kaufmann: The first thing that I would say you do is you go on and hire the best people that you can find. And we've managed to do that here at Amedisys. We've grown our security team quite a bit over the past year. And that is the thing for me, all of those employees of mine, I call them carnivores all the time. They're just straight meat-eaters. They just come in day after day and they understand the vision, not just at my level, but at the company level. And they know how they fit into that wheel, right? And as you have that unit that understands, hey we are all going this direction, here is how I play my part in that, that progress, it gets a little bit easier. And honestly when you are not making the progress and you run into the speed bumps, it makes that a little easier as well because there is a team to rely on. Which is the joke about the long walks on the beach, that was a tough life lesson for me. It might surprise you to hear that I am a little bit of a type-A personality. And so, one of the hardest things that I find myself doing is asking for help. And there is a great company out there. Quick little shout-out to GORUCK. GORUCK is an organization that not only makes some of the best backpacks on the planet, but they do these events, right? And these events are meant to be these endurance events and they are run by ex-Special Forces operators.

Jen Ellis: What?

Richard Kaufmann: So just imagine like intentionally paying money to have a former Navy Seal yell at you for 12 hours. And so I did this, and kind of, in the middle of the night, my body kind of quit. My body was done. And the rule is you wear a rucksack, and it has 35 pounds in it and you are not allowed to take it off. And I was doing this stupid excercise, I am literary laying down in the the street. Just contemplating all those questionable life decisions that have gotten me here. And the cadre, the guy in charge, comes over to me and he says, "Man, I have some bad news for you." And I'm just thinking what worse news do you have for me in this moment of my life?

Richard Kaufmann: And he says, "You can't quit. You are not allowed to quit." And he says, "I am going to leave you here for a few minutes, you organize your thoughts, and I will come back and check on you in a little bit." So, just that process of him walking away, it gets you thinking "Why am I doing this? Really, why am I here? Why am I putting myself through this? What is going on?” And he comes over and he is like, “Alright, quick assessment, what are you physically capable of right now?" And me being the smart aleck that I am, I was like," I am physically capable of sitting." And he says, "Great, if you can sit there, then you can be carried." And he says, "What we are going to do we are going to give someone else your rucksack and we are going to carry you to the next area. And you are going to sit there and you are going to watch us, and then we’re going to carry you to the next one, and we’re going to carry you the rest of the night but you are not going home."

Richard Kaufmann: And that lesson just stuck with me. And of course, you know, me being type-A macho guy, I was like, "I am not being carried." I got up and put my rucksack on and was right back after it, and that's the thing is, when you're managing a team that has the amount of things on its plate that all security organizations do, No. 1, as a leader you need to understand when people are taking that knee, and you need to be able to check with them and do the assessment. "Okay what are you capable of accomplishing right now?" And then kind of regardless of their answer, be able to show that you are there to support them and that you can get them to the finish line regardless of what their contribution is.

Jen Ellis: I love that. I think that is such a great note to end on. Although I will also add that clearly that dude was one smart cookie and he knew exactly how to play you from the beginning.

Richard Kaufmann: He may have done it once or twice before.

Jen Ellis: Yeah. I think that is a perfect note to end on. We always love the power of teamwork message. All right, cool. Thank you, Richard, so much. This was such a great conversation. I feel like we could have gone on for a really long time. I barely let Tod get a word in edgewise, although that's pretty much my standard MO, let's face it.

Richard Kaufmann: I will tell you what, if I’m around in another year, let's do another one.

Jen Ellis: Yes. For sure and there will be cake. Right? I'm starting to think the cake is a lie. I had to get it in there, come on now. Thank you so much. It's just leads me to say thank you to Tod for educating me in the Rapid Rundown and having the forbearance not letting him get a word in edgewise. And thank you as ever to our amazing producer, Bri, who is the person who really does all the work. We will catch you next episode. Thank you!