May 5: Today on Townhall, Brett Oliver, Family Physician and Chief Medical Information Officer at Baptist Health interviews Michael Erickson, CISO at Baptist Health, Louisville, Kentucky. How far has healthcare come in terms of cyber protection over the past few years? Will we ever get to “bank level” security? Do we want to? How does the ever evolving world of cyber insurance affect the average health care organization? What does the recent tremendous explosion of investment venture capital in the digital health space mean for security?
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Today on This Week Health.
I think technical innovation is the future of healthcare. And I think that it's super important for us to not lose sight of that because the security aspect of it has to be managed. We have to do these things safely. We have to take the time that it takes to understand what could happen on the cyber side. But we have to recognize this innovation is critically important for patient care long-term.
Welcome to This Week Health Community. This is TownHall a show hosted by leaders on the front lines with interviews of people making things happen in healthcare with technology. My name is Bill Russell, the creator of This Week Health, a set of channels designed to amplify great thinking to propel healthcare forward. We want to thank our show sponsors Olive, Rubrik, Trellix, Hillrom, Medigate and F5 in partnership with Sirius Healthcare for investing in our mission to develop the next generation of health leaders. Now ???? onto our show.
All right. Welcome back. I'm Brett Oliver, chief medical information officer for Baptist health, and I'm tickled to death to have Michael Erickson. One of my coworkers here, colleague from Baptist with me today. And I'll let Michael go ahead and introduce himself.
Thanks Dr. Oliver. I'm glad to be here. I'm Michael Erickson, chief information security officer for Baptist health.
Michael is a rockstar. I'm glad to have him here. Ask some questions, pick his brain a little bit. So let's just jump right in. in your opinion, how far has healthcare come over the last several years? I mean, I've watched our organization grow in our cybersecurity. And cyber protection, but as an industry, from your opinion, where do you see the cyber protection in our industry growing over the last several years. And will we ever get to like a bank level security? And I don't know if that's a achievable goal or even a desirable goal, but something that comes to mind when I think about security overall.
Well, I think it's an interesting question. I think the health sector is very much advanced in the past several years. And I think you will find a lot of examples of organizations that have invested as heavily as banks in the healthcare sector. It's not something that's very publicized, so it's under reported, but it's clear that we are being targeted all across the sector and it's clear that it's a key issue for boards and senior leaders across the organizations that I'm familiar with.
Why do you think that it's under reported? I'm just curious, like, I would think banking margins would be likely greater without doing the deep dive and things like that is it, they don't want to be known that they're spending money there because then that makes them more of a target.
Well, I don't know about that, but I think there's some people believe if you talk about your program, if it breeds interest in your program from those, who don't want to be interested. There's also the thought that incidents are widely under reported as well because people don't like to be scrutinized for things that are happening.
So In banks, the SCC is highly regulated. The transparency, I think the more that healthcare is treated in those circumstances required to disclose things. I think you'll see a lot more transparency.
You think there'll be some of that regulatory influence coming. ONC or other regulatory bodies over healthcare, or you think it's more of a self-imposed thing that's coming?
I think two things would improve the transparency. One is additional regulations requiring it. And the second would be some pressure from cyber security insurance providers or asking for evidence of certain controls and the effectiveness of those controls.
That's a great point. Well, let's shift to that just a second. I mean, how has this evolving insurance world affected the average healthcare organization.
Well, insurance in general is having trouble. The insurance market appears to be having trouble pricing health insurance for cyber events. They're still trying to understand what is the standard and how to measure the effectiveness of controls to be able to provide an organization price for the coverage. That certainly we've seen a lot of more claims going out than they had expected over the last several years. And it needs to reach an equilibrium. So I think it's getting harder to get cyber insurance. It's getting more expensive. Premiums are going up. Deductibles are going up.
Do you see colleagues across the industry, their organizations going without or self-insuring at this point or other it's still most are able to explain it.
I think there's a combination and there's actually some organizations. If you're not investing heavily enough in this space, you may not qualify for the insurance. They just may not provide you coverage. but most organizations are still investing in it and relying on that, especially given the heightened number of attacks and frequency of attacks.
Well, let's switch gears. one of my favorite places is the digital health space and we've watched that area, just had a tremendous explosion of investment venture capital over the last three to four years, 30 billion plus last year. I've got my own heartburn about the data siloing that occurs with that. But from a security perspective, does that give you heartburn at all? In terms of all these data holders that are out there, maybe they want to connect and maybe they don't that whether we're directly responsible for as an organization or tangentially, it's still where we're the entity that someone may come after.
I think technical innovation is the future of healthcare. And I think that it's super important for us to not lose sight of that because the security aspect of it has to be managed. We have to do these things safely. We have to take the time that it takes to understand what could happen on the cyber side. But we have to recognize this innovation is critically important for patient care long-term. So that helps me put it into context. And then I can focus on the safe implementation of technology and trying to think like the attacker and try to think of ways that that technology could be used. Unintentional uses. It's not without its challenges, for sure. Especially because there's little devices and there's so many things being created that are actually physically given to patients that store data and transmit data. Those are really challenging as well.
I got to thinking you as a cyber leader, do you experience that same challenge was you're going to have vendors and new solutions coming at you maybe more so than, than I would in the clinical space.
We do the choices that you have as a cyber professional of which technologies to choose to help defend your organization. They're just growing in numbers. It's a huge space where. Private equities investing. There's a lot of choices. So that's part of the part of building a strategy for a I'm sure it's just like digital health. You have to be strategic, meaning you, you can't choose everything. You have to be selective about what you choose.
A hundred percent. Well kind of along those lines, maybe this is a little bit more esoteric, but I did want to ask you, so how would you define cyber resilience in terms of a strategy? Not necessarily a series of technical controls or solutions, but as a strategy. And then how do you measure something like that?
Well, I think you have to think about resilience in terms of expecting bad things are going to happen and planning for that, that not necessarily planning for it, but being prepared for those things to happen. And I think the more we can understand where technology is actually a critical function in our day-to-day life.
It's easier for us to anticipate what life would be like if that technology went away for two hours, four hours, eight hours or longer. And that's what I'm, that's the best way to look at resiliency is to really think about what what you can do during periods, where the technology is not available and how you're going to recover. After that technology is back. So it isn't a framework. It's a more holistic way of viewing things. it's not a checklist.
Right? Right. I know some of the tabletop exercises that. And privileged enough to participate in pretty eyeopening. When you really have to think about it on a practical level, what does that look like? It's one thing to say, oh, we can be up and running back and four hours, or what did that four hours look like? What did you do for patient care in that four hours? I hear you. I think it has to be preparation and it's, it's likely ever evolving mindset preparation. You can't have one plan that you put on the shelf after working on it for a year. I would imagine.
Sure and think about all those hours leading up to that decision to do the four-hour recovery. So you add all those hours to it. Even making the decision, should we choose to switch to a different data center or should we enact our disaster recovery plan? All of those things take time and energy to this side. Is this a temporary operational failure or is this something that has risen to the level that requires us to put that energy behind it?
All right. Well now you and your team, in my opinion, do a great job when we've got new policies, new procedures in place, from a cybersecurity perspective of giving the end user. The why I'm a big believer that if you give me the why I may not like it, but I can understand it and I can get behind it a lot better.
If you could sit down with every clinician, nurse, physician, PA nurse practitioner, you name it, that's the an end-user and have kind of a one-on-one conversation regarding cybersecurity. What what's that one thing or two things that you would want to say to them?
Well, I would certainly love to focus on two things. One is passwords because we're still dealing with passwords in our environments, and I know that's frustrating. The other is internet access and both of those things we have to be very intentional about how do we manage those things? Unfortunately, there's not a viable, alternative to a password today on a wide scale for 20,000 people to change our electronic health records and all the applications that we use and passwords are still the coveted prize of an attacker.
And it's not that they're going to necessarily steal it. Well, they do do that, but they can crack short passwords. Very. So the longer the password is the less likely that password can be cracked. That's one big topic that I know it causes friction. It's frustrating. It's frustrating to security professionals as well.
So we're looking forward to innovation that space. The second thing is internet access. Every time I go on the internet, I know I'm exposing my computer to risk. I open my browser. There's a lot of people on the internet that are, that would wish us harm. So. We have to think about internet access differently.
Most people want to open and then close the things that are bad. It's really difficult to do that. So I would just say we have to be very cautious about anytime we're connecting the device to the internet and we have to continue to live with passwords.
Any over all thoughts about biometrics. Is that going to be a solution at a high level, two passwords for when you think it will be a different kind of technology?
I think it will be a blend of technologies. I think that it will be an addition to what we see as multi-factor authentication today. So if you can think of adding characteristics to that possibly using face ID on your phone to add some biometric component or. If it's calculating your location, geo geolocation using the phone that you're carrying, some of these things are policy-based access controls that that will evolve over time. And I think it's going to be an extension in addition to what we're doing with two factor authentication.
You know how much I enjoy working with you. And I really appreciate you taking the time to talk with us today and sharing your wisdom. Thanks very much.
I appreciate it. Thanks Dr. Oliver.
I love this show. I love hearing from people on the front lines. I love hearing from these leaders and we want to thank our hosts who continue to support the community by developing this great content. We also want to thank our show sponsors Olive, Rubrik, Trellix, Hillrom, Medigate and F5 in partnership with Sirius Healthcare for investing in our mission to develop the next generation of health leaders. If you want to support the show, let someone know about our shows. They all start with This Week Health and you can find them wherever you listen to podcasts. Keynote, TownHall, ???? Newsroom and Academy. Check them out today. And thanks for listening. That's all for now.