RSAC Conference 2025 | James Winebrenner, Elisity & Aaron Weismann, Main Line Health

Clips
News
More from RSAC Conference 2025

James Winebrenner

CEO

Elisity

Aaron Weismann

CISO

Main Line Health

Main Line Health battles healthcare hackers with zero-trust strategy

Healthcare systems are under attack by cyber threat actors, and it does not appear that there will be relief anytime soon. Nearly 400 healthcare cyberattacks were reported through the first three quarters of 2024 and over 1.2 million patients were affected by data breaches in February of this year alone.Against this threat backdrop, healthcare organizations such as Main Line Health are relying on technology partners within the cybersecurity community, such as Elisity Inc., to lessen the impact of breaches and protect critical systems

play_circle_outline Complexity of clinical environments and cybersecurity measures

play_circle_outline Successes and challenges in implementing cybersecurity solutions

play_circle_outline Cultural shift in leveraging downtime for cybersecurity awareness

play_circle_outline Unlocking the Potential: Building Cyber-Resilient AI Systems to Meet the High Bar for Security Transformation Today

Info
Transcript

James Winebrenner, Elisity & Aaron Weismann, Main Line Health

James Winebrenner

CEO Elisity

Aaron Weismann

CISO Main Line Health

James Winebrenner of Elisity and Aaron Weismann of Main Line Health join theCUBE’s John Furrier at the RSAC 2025 Conference to discuss cybersecurity innovation in healthcare. The conversation focuses on building resilience through segmentation, least privilege access and real-world readiness.

Winebrenner explains how Elisity supports healthcare systems with identity-based policies that reduce risk without disrupting operations. Weismann shares how the partnership has improved downtime response and strengthened incident preparedness through tools such... Read more

explore Keep Exploring

What are some challenges faced in clinical environments related to managing IT assets and devices? add

What were the steps taken to implement Elisity in the health system and how was downtime used to reinforce resilience among clinicians? add

What led to the development resulting from the Elisity deployment in the project recently discussed? add

What are some benefits of building resilience into a system from a security standpoint? add

bolt Powered by CUBE AI

James Winebrenner, Elisity & Aaron Weismann, Main Line Health

search

>> Welcome back everyone to theCUBE's live coverage here in San Francisco for RSAC 2025. I'm John Furrier, host of theCUBE. Jackie McGuire, Dave Vellante, John also here, our entire security research team. Of course, SiliconANGLE getting all the news, check out SiliconANGLE.com. We've got great lineup here, talking about the integration and transformation, making security go faster. And again, no downtime is the key and no disruptions. James Winebrenner, CEO of Elisity, and Aaron Weissmann, CISO of Main Line Health. Customer, we've got another CISO in theCUBE. Great to see you guys. Thanks for coming on.

James Winebrenner

>> Thanks for having us.

Aaron Weismann

>> Yeah, thank you.

>> It's really been, I won't say great time for CISO, but it's a great time for CISOs because good things are happening on many fronts. The game is still the same. You got the threats, you got the environment, but the infrastructure's changing. You got apps are changing, you got the models now coming in. You guys have an interesting integration and transformation, and that's the game because it's transformation, but also the business transformation is impacted. Talk about what you guys are working on. We'll start with you.

James Winebrenner

>> Yeah, so we've been focused for the last five or six years on helping organizations move much faster on being able to enable segmentation and least privilege access across the environment. And one of the things we heard building this during COVID, all of the knowledge workers were at home in their pajamas, but the people that were still having to run vaccine production facilities, run manufacturing or run a hospital, they were in the trenches dealing with the reality of cyber physical security every day. And so what we have been really, really privileged to have some design partnerships with customers that have helped us to deliver innovation, allowing us to take action in those cyber physical environments, again, with that goal of moving towards true least privilege access.

>> And the COVID thing also highlighted was kind of a black swan event in the sense of the environment at home isn't the network. So hello, sassy not working. So a lot of things got pulled forward, realities. This was a big deal. Okay. So how does that relate to what you guys were working on? You just also got recently got an award, top 100 CIO and top 50 CSO. What's your story relative to this? Because this is like where you're now the practitioner. You're Peter to the fire.

Aaron Weismann

>> Yeah, no, and so we have a distributed environment for our back office and administrative staff, but our hospitals stayed open throughout COVID, right? And they continue to stay open and we're seeing more sophisticated, broader attacks against health systems. And that's only increasing in velocity and veracity as well. So a lot of what we're doing is trying to drive better resilience in the organization so we have fewer downtime. So we're able to care for patients longer, better, more robustly using technology. And part of that work has been integrating Elisity into our network and making sure that we're able to effectively micro-segment all the devices on our network.

>> I mean, this has become a big topic. I know it's a little bit in the weeds, but it's one of the most biggest thing, the segmentation's critical because of the identity piece. And also the trend, we just had another guest on talking about how ransomware has actually dropped because the attacks are targeting services, downtime. So it's not the broad-based spray and pray, my words, but ransomware was up on volume, but lowers the volume, but now they're highly targeted. Hospitals are significantly targeted. I mean, what's the environment like now? Has there been a breakthrough? You guys have some successes. What's the challenges? What's the current state of the market from your standpoints? Is it still a lot of pressure?

Aaron Weismann

>> I think there's a lot of pressure. I think threat actors, as you identified, are becoming more vicious, targeting health systems in particular as well as other critical infrastructure. And they're doing so because regulatory breaches and patient dignity impacts are revenue drivers for them. So fortunately our tooling has become more sophisticated. We partner with more vendors who are able to deliver parts of infrastructure that are able to help us reduce the blast radius of an attack, which is absolutely critical to keep patient care going.

>> James and Aaron, talk about the project because I want to get back to the segmentation piece because it sounds easy. That user shouldn't have access to that system. It sounds simple. Can you scope the complexity and then how do you guys pulled it off?

James Winebrenner

>> So clinical environments are incredibly challenging. If you think about traditional IT assets, you have all of those, all of the managed desktops and laptops and wireless and what have you. You have a significant amount of IoT. You've got physical security systems, badge readers, IP video cameras, et cetera. So all the IoT devices. Bring your own device is very different in a clinical setting because it's not just the employees. We've worked with hospitals, patients are bringing Xboxes and plugging them in the room. But then on the clinical device side, you have systems that are critical to providing patient care that can't be patched. We can't run an EDR on it. And if there is a known vulnerability, you have to wait for the FDA to clear the software upgrade before you can upgrade. And so in a typical environment, when all of those things are running on one network, your blast radius is significant. And so being able to, number one, identify those different classes of systems and then be able to not just segment them for segmentation's sake, but really move them towards a true least privilege access model. Does that MRI machine need to talk to the IP video camera that's on the fifth floor? Answer is no, right? It needs to be able to talk to the patient monitoring system, the PAC system, et cetera. So being able to quickly identify what those devices are and then non-disruptively segment them is very important. These are assets that are running embedded operating systems. It's very difficult in some cases to change network settings. You can't just change the IP address on a CAT scan machine. So being able to go in and non-disruptively map them back into a policy without creating downtime, without having to re-plumb the network is really where we've been focused on time to value.

>> Aaron, you had to implement, so walk me through on your side, you got compliance, you got regulations, you got care. I mean, non-disruptive is great term. Reality of making that happen. Take us through the scope and what you guys did.

Aaron Weismann

>> Yeah, so deploying Elisity drove a much broader hygiene project within the health system, where we effectively had to upgrade all of our network equipment and upgrade the firmware on the network equipment, the software that's running on them, and then deploy Elisity. And so part of that upgrade process forces a downtime, and that's where the CSO-50 award came in. We created the system where we use that downtime to take the tabletop exercise to the end user. So all of our clinicians were forced to go to downtime. We were able to disguise that technical downtime as well and really reinforce the resilience of, "Hey, you might have to go to paper if there's a ransomware attack. We're a hundred percent going to be ready for that. Here's how you're going to be ready for that." The deployment of Elisity, absolutely flawless.

>> How about that tabletop to reality? That's really big breakthrough. Walk me through that again. I want to make sure I catch that piece.

Aaron Weismann

>> So when clinicians are trained nowadays, it is, you use the EMR, you use the electronic assets that you have, you use the technology for patient care. We move away from analog treatment effectively, right? When there's a downtime, you must move back to that analog treatment. And what we've heard anecdotally is in the first 48 to 72 hours, that's where you see the most patient care impacts. It continues throughout. And where the average downtime at health system is 30 days, that's very, very impactful to quality patient care. And so we wanted to minimize the disruption for transition to paper. And you do that by practicing on paper and getting people exposed to that.

>> And that's the class, we hear that all the time. Tabletop exercises. It's a cultural thing, but you had to rapidly deploy it in a... What was it called, a migration? What do you call this project? You're not migrating.

Aaron Weismann

>> Uplift. Uplift and upgrade.

>> I mean, okay, that's challenging. What were the biggest learnings? I mean, if you look back now, what was the big takeaways? Because that's hard. It's a heavy lift.

Aaron Weismann

>> Yeah, so probably one of the biggest takeaways is that clinical operations actually loves helping technology design. Prior to us engaging in this project, it was really, hey, we're going to abstract the technology because they really care about patient care. But it turns out they care very greatly about the technology support on their patient care. And if you start introducing these concepts and communicating in a clinically relevant way, you're going to be able to get really solid buy-in from your clinical operators. And honestly, that's transferable to any industry.

>> Talk about the Elisity piece of it. What was the big thing on that? Was it just the tech? Take us through the solution.

Aaron Weismann

>> And the reason Elisity was so attractive to us is, it is, as James mentioned, downtime-less deployment. And it just works, right? As soon as you deploy it, it starts looking at everything on the network and determining whether or not it's appropriate for something to communicate. And honestly, the speed to being able to block unwanted communications across the network has been absolutely incredible.

>> Not a bad comment, "It just works." What's behind the secret sauce?

James Winebrenner

>> We really wanted to decouple the ability to have a least privilege access or zero trust policy for every asset on the network from the underlying network. If you think about the way we've been doing this for the last 20 years, security team has said, "Hey, we need another control here. Let's break the network, put a firewall in, break the network, put another firewall in." And so the amount of re-plumbing that was being done in order to accomplish that segmentation would take years. The number of change control windows that was required was massive. So what we have done is, again, decoupled those things. Built a software-defined control plane that we can extend out into the existing infrastructure, gather metadata about what's communicating, marry that up with other sources of identity and context that exist in the customer's environment. Things like Armist, things like ServiceNow, active directory, and give our customers a holistic view of all of those assets and then allow them to build that policy based on the identity and context, not the underlying network construct, and have that policy atomized and distributed back out over the network in real time.

>> I think that's a real highlight of, I think that trend here this year is that... And we even had people pointed out, network security doesn't need to be there and we know what the firewalls and all these things were doing. The data piece becomes the instrumental part for doing things faster and more efficiently. I mean, we all lived in the world where firewalls, talking about re-plumbing. Quantified the downtime estimate. If you're going through the re-plumbing, what would the project look like? What would it like, weeks?

James Winebrenner

>> I'll use the example, we have another customer that did this exercise. They had had a peer in their industry impacted with NotPetya. Caused over a month and a half of downtime at a couple of large pharmaceutical manufacturing facilities. And the response at our customer was, "Hey, do we have the same vulnerability? We thought we had this air gap network." And the answer was, yes, we have the same vulnerability. CISO went to the board, said, "I need $200 million to go remediate this." And the board said, "Okay, go do it." And the challenge became looking at that project plan of going into a plant, much like going into a hospital saying, "I need to take the downtime. I need to go identify all these systems, map them back to different VLANs, create all the rules." It was a six-year project plan with 3,500 change control windows.

>> Oh my God, it's massive. I'm like weeks, you're like years.

James Winebrenner

>> CISO looked at it and said, "I'll have been replaced twice by the board by the time this project is done." So the reality is being able to meet the customer where they are in the infrastructure and start looking at mapping those least privilege access policies back without having to make changes in the network, that's the capability that we've delivered.

>> And the time to value, I mean, you're talking years. I was saying, oh, weeks and months. I'm like, wow.

James Winebrenner

>> Yeah. And Aaron can talk to the entire amount of time that it took us to deploy across the organization was...

Aaron Weismann

>> A few months.

James Winebrenner

>> A few months.

>> And you also took a couple other shots too, that changed some culture. The tabletop, you kind of took the advantage of the situation.

Aaron Weismann

>> Yes. No, we were able to use it to drive security awareness and education across the board, which I love that as a CISO, right? I absolutely want to do that.

>> It's a double bottom line right there because you get the bonus of actually, "Hey, if we don't do this," and also, people now know. Because everyone sees the stories in this nightmare scenario, cyber threats on the service disruption is mission-critical. Aaron, I have to ask you, you gave a talk today. You mentioned before we came on camera, what was the title?

Aaron Weismann

>> Oh, Dr. Downtime or how I learned to... Oh gosh, I can't remember the end of it. I apologize.

>> How we learned not to stop worrying and love downtimes.

Aaron Weismann

>> Yes, thank you.

>> Explain the title. We just talked a little bit about how I'm like downtime. You've cut downtime, but you leverage it. This is really nuanced, but I want you to explain the concept of the talk.

Aaron Weismann

>> Yeah, and so this was a development actually from the project I was just talking about resulting from the Elisity deployment. One of the things we noticed when clinicians were reverting to paper processes that they hated it. Any technology supported care is better than analog care. And so internally, we pivoted. We said, okay, we're going to continue the education, we're going to continue drilling on this, but we want this to be truly a last resort. Our organization is building resilience on the technology side so that we're able to continue technology supportive patient care, independent of our production network in the event that something terrible happens. We don't expect that to ever happen. And we've deployed a ton of infrastructure like Elisity to make sure it doesn't, but, worst case scenario.

>> It's a reminder too. It's like, "Hey, this could be an alternative. Do you like it?" "No. Oh, no. Give me the technology back." So in a way, you earn some fans too probably.

Aaron Weismann

>> Exactly.

>> Inside.

Aaron Weismann

>> And to other forms of downtime, right? We're very focused on ransomware and cyber events, but there could be a fire, there could be a flood. We could have to move patients for one reason or another. We can now move the technology with them to be able to have that technology-supported care.

>> Yeah, it comes up at all the events we cover on the security and the threat side, tabletop exercises, mandatory workflow. Now you took that and implemented it in with the project. For you guys, what's this mean for your business? Obviously you got a great customer use case here. The time to value. I mean, I just love the stat. It blew my mind. I'm like, six years and 200 million, I thought that was the problem. No, it was the six years. I mean, cost, efficacy, huge, huge theme here this year.

James Winebrenner

>> Yeah, I mean, the work that we're doing with clinical healthcare providers is honestly the fastest growing part of our business. I think everybody understands the problem very well. In fact, Health and Human Services has had a well-defined mandate for clinical device segmentation as part of 405(d). And the challenge isn't that the CISOs and their organizations don't understand it. These are all very, very smart, very capable people. It's a time and resource issue. And in clinical healthcare, unfortunately, there's not enough time or enough resource no matter where we go. And so being able to effectively accelerate this capability does free up opportunity and bandwidth for them to go focus on other elements of the organizational maturity. And so what's been great, Aaron has been a phenomenal partner. We've got a number of other CISOs in clinical healthcare, and the community aspect of this of saying, "Hey, we built the playbook. We know how to go do this." They're now sharing that out among their CISO communities. We're already working with three or four other regional health systems in the Philadelphia area based on the work that we did with Main Line. And we're really seeing that play out writ large across the US.

>> And we will do whatever we can to amplify that. I think this is a best practice that has real benefit. And I think you guys also took the opportunity to modernize. I mean, the whole story here, independent of this use case, which by the way is phenomenal, is the network layers transit. Let's get out of that business, keep the transit flowing, let's modernize that data layer here, it's identity, and just manage zero trust like environment. This is where it's going.

James Winebrenner

>> That's exactly it. And we see this with every one of our customer engagements. We are able to change the relationship between the security team and the infrastructure team from being pretty acrimonious to letting the network infrastructure team focus on architecting for availability and performance, dealing with network lifecycle management as its own domain, and then giving the security team the tools immediately to go and get the policies implemented that they need to reduce risk.

>> And James, the key there too, and Aaron, to your environment, you're also kind of by accident on purpose, the readiness increases for AI agents. So you're more agile, you're in position to now look at, because you're now at that data layer, agents are only going to help down the road.

James Winebrenner

>> Right.

>> So I think, seems to be, what's your reaction to that? Obviously a little bit more practical. You guys are services, mission-critical, but I can imagine you're now in a position to look at agentic agents, other ways to augment the technology.

Aaron Weismann

>> From a security standpoint. The more resilience you're able to build into the system, the easier it is to deploy new, innovative things. If they break something, less of an impact, right? So I'm very optimistic about how AI is going to develop in the clinical space and in the security space. And it's exciting, exciting times.

>> Great story, guys. And phenomenal use case. Congratulations. The bar is high for resilience, cyber resilience. It's a high bar. I mean, gen AI is not, it's going to take some time to get there, but you're starting to see some practical use cases. Modernize, get secure, no downtime. You have downtime, you use it, tabletops, great job.

James Winebrenner

>> The difference between the planned downtime versus the unplanned downtime associated with a massive breach that has all the lateral movement.

>> Win-win. Guys, thanks so much. Appreciate the story. Stories like this, share the movements going on here in the security industry, transformation in the technology, how you approach it, but also the use cases that are emerging. This is theCUBE bringing you all the action. I'm John Furrier, host of theCUBE. Thanks for watching.