Matt Murren, CEO and cofounder of True North ITG, a healthcare IT and cloud service provider, sat down with MobiHealthNews to discuss how the company helps health systems and venture capital firms ensure cybersecurity within their organization and among potential portfolio companies.
MobiHealthNews: Can you tell our readers about True North?
Matt Murren: We started True North in 2001. We cover everything from help desk support all the way to EMR hosting and the ancillary third-party applications in and around the EMR, and then on into cybersecurity.
We have a cybersecurity practice where we help healthcare groups protect from ransomware and other threats, and then we also get into the data application layer of services.
We specialize in ambulatory and community health centers. We work with some hospital groups, mostly regional and rural hospitals, to basically try to mature their IT platform to improve performance for the care providers, and that’s been our sole focus for well over 20 years. We cover coast-to-coast, so we cover groups all over the nation.
MHN: The company works with investors as well, correct? What type of work do you do with investors?
Murren: So, over the last few years, we’ve seen a few different trends. We’re seeing providers come out of hospital systems that are partnering with private equity, and we also have private equity groups that are doing consolidation.
A lot of what we do on the private equity side and investment side is when they’re consolidating systems, they’re looking for some economies of scale and efficiencies, and so a lot of these groups, as they were individually owned and operated, run many different system types.
What we do is we kind of build a consolidation of future strategy, and this is also for larger groups that are doing their own consolidation.
We have some folks that are building CBOs and MSO layers, which is very similar, but really, at the end of the day, trying to reduce the surface area they have to manage, improve security standards, improve system standardization, and then as some of these groups spin up new practices, we take that standard and kind of bolt that onto the current environment.
MHN: When looking at how to secure these systems, what are some organizations doing right, and what are some doing wrong? What trends have you noticed that make companies more susceptible to cybersecurity attacks?
Murren: It’s definitely bottom-line focused. But when groups use different systems, and there are a lot of different integration points, there are just more things that can go wrong. So, we try to simplify the system layer and ultimately improve performance where the physician touches the system and the keyboard.
Because they’ve been so prolific in healthcare, because it’s been a really focused attack in the last couple of years, I would say the awareness is definitely up. We see a lot of people that are running tools like SentinelOne or CrowdStrike. We obviously had a large disruption globally from CrowdStrike. But at the basic level, like firewalls, some sort of endpoint protection, you kind of see that everywhere.
There’s a few gaps. We still see folks that have the MDR sensors, but they don’t have a full security operation center, which is basically similar to like ADT for your home or any home security, someone sitting there waiting for an alert to appear and jumping on in real-time to remediate it and kind of contain that impact. So, that’s one thing we recommend.
Because some of these attacks are highly sophisticated, sometimes they’re coming from nation states, oftentimes there’s not a lot of time to patch, so you have to have a good incident response plan. You’ve got to have a real-time view of what network, what device specifically has been attacked, so you can quarantine that. So that’s kind of number one.
Number two, which I think we’re seeing improvement on, is training and awareness for employees and filters and systems that prevent things like phishing emails. A lot of times, these attacks come through some sort of social engineering. We’re starting to see these come through SMS via text.
We’re starting to see all sorts of different, very well-crafted phishing emails that appear to come from a vendor. We’ve even seen those post-CrowdStrike – phishing attacks posing as updates from CrowdStrike on the outage. So, you really have to be vigilant.
There are two layers that we’re providing: one is a dark web scan, which what that does is it scans the dark web to see if your username and password or email and password pair have been breached on any system.
The other thing we’re doing is simulated phishing attacks for the sole purpose of training and awareness. So, crafting a simulated phishing message so that if someone clicks on that, we can immediately turn around and send them a security awareness piece, and do that in a randomized way across an organization.
MHN: What do you say to healthcare systems not fully investing in cybersecurity?
Murren: With labor inflation, there are a lot of budget pressures we see in healthcare. There’s pressure on payers. The payers are putting pressure.
When we talk to the stakeholder physicians, and they’re like, “IT is too expensive,” and in some cases, that’s true. But a lot of times, it’s simply allocation, and it takes some digging into right-sizing their systems, right-sizing their contracts. We’ve been pretty successful at finding some of those for our customers, but we’re definitely seeing people allocate more funds to security.
It’s super disruptive, and there are a lot of healthcare-specific attacks. Unfortunately, we don’t see that slowing down. If anything, those attacks are getting more scary, especially in light of some of the recent ones, like the blood bank that was attacked, which created what could have been a really serious issue, because you can’t access a system that provides donor blood.
Maybe five years ago, people were talking philosophically about killware versus ransomware, and unfortunately, that’s why healthcare systems are so appealing to attackers, because the stakes are pretty high, so people tend to pay the ransom when there’s lives at stake.
The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31-November 1 in Washington, D.C. Learn more and register.
