This Week Health

Don't forget to subscribe!

June 25, 2021: It feels like healthcare is constantly under attack. What is going on in the cyber world today and what can we do about it?? Mitch Parker, CISO for IU Health shares the foundational elements of a security program including staff awareness, funding, governance and evaluation of practices and procedures. What is the most common gap in cyber programs? Where are people generally falling short? How do you determine the right amount of funding? Can smaller health systems keep up with the sophistication of the attacks? What can they do to keep criminals and terrorists at bay? What advancements are there in detection, prevention and threat response?

Key Points:

  • You can choose a path of defense or you can choose a path of crime [00:12:05
  • Biden’s Executive Order on improving the nation’s cybersecurity concerned [00:13:05
  • The Finland mental health records breach [00:14:35
  • The biggest gap in most healthcare systems cyber programs is due diligence [00:25:53
  • At least five to 10% of your budget needs to be focused on security and security measures [00:31:05
  • IU Health
Transcript

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Thanks for joining us on this week in Health IT Influence. My name is Bill Russell, former Healthcare CIO for 16 Hospital system and creator of this week in Health it a channel dedicated to Keeping Health IT staff current and engaged. Today we're joined by Mitch Parker, the Chief Information Security Officer for IU Health.

Special thanks to our influence show sponsors Sirius Healthcare and Health lyrics for choosing to invest in our mission to develop the next generation of health IT leaders. If you wanna be a part of our mission, you can become a show sponsor as well. The first step. It's to send an email to partner at this week in health it.com.

Your response to clip notes has been incredible, and why wouldn't it be you helped create it? Clip notes is an email we send out 24 hours after each episode airs, and it has a summary of what we talked about. It has bullet points of the key notes in the show, and it has four video clips that our team pulls out that we think really captures the essence of the conversation.

It's simple to sign up. You just go to this week, health.com, click on subscribe, put your information in there, and you'll start receiving CliffNotes. After our next episode airs, it's a great way for you to stay current. It's a great way for your team to stay current and a great foundation for you and your team to have conversations.

So go ahead and get signed up. Just a quick note before we get to our show. We launched a new podcast today in health. It. We look at one story every weekday morning and we break it down from an health IT perspective. You can subscribe wherever you listen to podcasts. You can also go to today in health it.com.

And now onto today's show. Today we're joined by Mitch Parker, the Chief Information Security Officer for IU Health, and I'm looking forward to this conversation. Mitch, welcome to the show. Thank you very much for having me on. Bill. I'm very happy to be here. I love following your stuff. Keeps.

And you not only post about what's going on in healthcare, you're actually following cyber around a lot of different industries because I see your posts across the borders a lot. You, you have to these days because every industry is interrelated and everything has an effect on ultimately how we take care of patients.

Yeah. As we're seeing, I mean, the pipeline is a ransomware attack and yeahs no boundaries. It's wherever they can get money for ransomware. I guess at this point. Tell us a IU before we started. So IU Health, I'll give the standard description. We are a 17 hospital system serving the citizens of the state of Indiana with a number of different outpatient facilities and a and our Lifeline Ambulance Service, which covers the entire state.

And we are also have a very strong affiliation with IU School of Medicine and all of their campuses, and we do a lot of work to try and advance the health. And wellbeing of Hoosiers. Yes. Which is a term of endearment in Indiana, so, which is great. Are, are you in Bloomington or where are you located? I am right outside of Indianapolis.

Indianapolis, okay. Is that where the headquarters is for iu? Yes. Headquarters is there and that's also where the main campus of the medical school is. Got it. Okay. That makes sense. How long have you been there and, and what was your path to become a a ciso? So, I've been at IU Health about four and a half years, and my path to getting on this point started, I'd say about 18 years ago.

At this point, I was a defense contractor. I originally got brought in to DOD to do some work on Oracle databases, and the person that was starting up the information assurance program there figured out really quickly that I understand security well. . And so I started getting more and more assignments related to security, and then about 17 and a half years ago, ended up full-Time information assurance.

Right around the same time I was a consultant for Temple Health. Don't ask me how I did two full-time consulting jobs at the same time, but I did and I was doing a lot of security work for them as well. So when my DOD contract ended, I ended up. A full-time information security consultant at Temple Health, and they had an opening for a Chief Information Security officer in 2008, and I applied and was selected for the position, and I've been in this role ever since.

2008. Was CSO pretty common in 2008? I would say not so common. At the time, there were a lot of people that were directors of information security or there were people with the information security role, but very few with that title and position within the organization when I got that role, yeah. Do do you find like college and.

Around cybersecurity, I would assume. So are, are we finally starting to fill some of the gaps? There was a lot of, I mean, there was a lot of people trying to hire in the security space and, uh, I, I was talking to a different placement firms and whatnot. They said it's, it was some of the hardest positions to find people to fill.

Is that still the case? I think it's more a question of understanding. So to put a little background in place, DOD had it right. When they issued their 85 70 0.1 directive in about the 2006, 2007 timeframe, that required certification for staff working on security. And even before that, with their information securities officer positions, they were requiring education.

And to become a level three in DOD, you actually had to have that graduate school level program and. Where they also pioneered distance learning for that, because back then there was only a few universities that were even offering that degree, and granted a lot of med campuses down in Crystal City, Virginia, because that's where all the military eventually got stationed.

So that's how it was. I mean, back then it was Norwich, it was Carnegie Mellon, university of Tulsa. A few others, NSA had their centers of excellence. So DOD had it right about 20 years ago. And the problem is the rest of the industry never really . Caught up until about five or 10 years ago, and you have a lot of colleges and universities offering cybersecurity programs, and even then, what I've found is we're still in what I call that initial feedback loop.

So. People are putting the programs out there, but they need more input from people like us and people like us teaching these courses. Now, little caveat here, I'm a little bit biased because I taught at Temple University for two years, so I taught in their I tax program, master's program in cybersecurity.

But what I've really noticed is that. There's a lot of real world expectations that have still have to be set with the curriculum that we teach students, more understanding of the career paths and a lot more understanding from human resources. We have to collaborate with them to understand what these paths are, because I shouldn't be the only person explaining the human resources that I'll take ADOD.

Form that says this person completed her military service in cybersecurity in lieu of a bachelor of science degree. Because honestly, the person that served in the military is gonna know a lot more about cybersecurity than the person with the bachelor's degree because DOD had the more structured program.

So I look at this as, we still have a lot of work to do to explain this and to explain. That there are different career paths in security, and more importantly that we establish a better career path for those that wanna be security leaders. Because most of the people in my role, we didn't start out in security, and there's needs to be a lot more work done to provide more traditional business education and relating that to security as well.

That makes sense.

Describe the current environment. You know, we, we find ourselves in a world and, and I've, I've told my daughter's home from college and I said, we're currently at war. And she goes, whatcha talking about? I'm like, there's a cyber war that's going on. And I sort of described to her and we're, this interview will probably get released in two or three weeks, but as we speak right now, script scripts still in diversion.

They're still on in a cases, so they're still down entering. Of, of being down as, as a result of ransomware. The, the pipeline just happened and they actually paid the ransom in order to get the pipeline back running and those kind of things. But the list goes on and on. There's significant attacks going on within healthcare, outside of healthcare, but I'd love to hear from you what the environment look.

I would not use those words to describe it. I would say that we've experienced attacks like this for, I'd say, at least the past 20 years. It's just escalated since then. And now that you have a lot of organized crime elements involved because there's serious money to be made and with the rise of cryptocurrencies.

It's a easier to pay ransom than it was 20 years ago, because if you take a look at it with ransomware, the reason we're seeing so much of it is because it's easier to get paid. It's just that simple because 20 years ago, if right after nine 11, if I were to try and do a swift interbank transfer of more than 10 grand to Russian Federation or certain other parts of the world, I would have some serious issues and would have some Homeland Security agents at my office With Bitcoin, it makes it a lot simpler to pay.

And also with the rise of a lot of technologies out there that allow for anonymization and quite frankly, the rise of some incredibly good software developers and programs, it's easier to ransom and also. The other big fact is, is that we really haven't done a lot of work to update our networks since that big XP service PAC two push in 2004, and that, if you remember that year, Microsoft delayed almost all their products to work on security and.

Truth is, is that we reached a plateau in, let's say about 2003, 2004. We really haven't hit another plateau since we had a little something that resembled one in 2014 when everyone went SSL, and TLS on the browsers. However, again. What that did is that had the net effect of allowing people to obfuscate and hide where they were coming from even more because all the traffic was encrypted and that pretty much shut off half the network security tools that people had put on their networks.

So it's a gigantic game of cat and mouse. It always has been a gigantic keen of cat and mouse, and it always will be. The difference is, is that we need to do what we did back in 2003, two. We did a look at what we're doing, how we're doing it, look at securing it better, and honestly, get rid of a bunch of legacy applications that we have that open up our networks to make it so easy for a lot of these people to succeed.

You know, it's, it's so, you wouldn't call it a war and, uh, escalating battle, and you're probably right because what.

Is what's happen today. There's just the, this rise in cyber criminals that have figured out, Hey, stop this pipeline and it's a quick hit to get five, $10 million put into your, your Bitcoin account anytime you have the, it's a fertile ground. I guess right now you can choose a. A path of defense, or you can choose a path of crime.

If you're really smart and you know how to, to crack these things, you can literally choose those two. You can either become an untouchable or you can go to work for a crime family. And that's what we're seeing. We're seeing that battleground more like a Chicago, but regardless which, which story that you see in the headline right now in in the cyber world has really caught your eye.

I would say what's going on in Ireland, because it's multiple attacks on their, on their network. Ireland's not paying and it's a big concern for me because that's a national health network over there and that's significant disruption to patients. I mean, between that and what's going on with Scripps and what's going on with the pipeline, that is pretty significant.

And I know there's been a lot of talk lately also about. The new executive order from President Biden. I'm very concerned also that the executive order from Biden is, well, it's gonna take a while to put that in. Everything in Washington, especially in the first year of a new presidential term, takes a very long time because we're still putting together new government and we're at a very vulnerable position right now.

So to make that executive order succeed, we have to put people in place in CSA and Homeland Security and Health and Human Services to really ramp up what we're doing very quickly, and that's gonna be a significant challenge. So you have that with Ireland. That's a, that's incredible what they've done.

They've managed to cause a disruption to health services of an entire country. Yeah. In the eu no less. And with Scripps Health, I, my thoughts are with those caregivers, my thought is with the IT team, those are some great people there over at Scripts and I really, I really feel for 'em because I've talked to other people in San Diego and.

They tell me that those people are going through a lot right now and they're really trying to work through a difficult situation. And I will tell you that those computer systems, if you're down for two weeks, you're already on paper. It, the more important question is, can you survive the first 24 hours?

Right. Right. And actually, I, I want to get into that. By the way, the story that has sort of reeling is the one in Finland Records. That stuff, but they got the actual notes from the, you know, psychologists, psychiatrists, and others, and their patients. And they're actually not blackmailing the healthcare company.

They're blackmailing the actual patients saying, we're gonna release your information. And it's very per personal and private information. It's kind of crazy. Absolutely. And what's crazy about that, I read that entire story, and that's a story of corruption at its core because there's no way that system should have ever got into production.

The state that it was in. I'm very concerned because you're talking about people's mental health notes. Yeah. And the risk of people when they're very private discussions with their mental, with the mental health professionals they consult with get revealed. I'm concerned some of those patients are going to do things to harm themselves and that's unconscionable.

Yeah. Worst case scenario, scenario. Would I, I'm trying to think if I would go back and talk to a mental health professional after that happened to me. I, they would be tough to trust them. I mean, I'd, I'd want, I'd wanna do a, an a security audit before I, you know, where are you gonna put those notes? It would be my question and I'd rather have it be paper-based than be in the computer system.

Um, absolute, absolutely. Most mental health professionals I know are still on paper. That's why. Yeah. Executive. The second part of that I thought was interesting from a, from a healthcare standpoint, as a former CIO, I was thinking this, this really makes sense. And essentially what they put in place is within the next nine months, anyone who sells software to the, to certain government agencies, DOD and others.

Well, and I'm sure it's already been in.

There's software, the commercial software that's out there that they're going to be using up to a certain level. I is. Do you think that's something that Will, will take off in healthcare as well? I mean, I know we have some standards, but I'm not sure. When you look , I think about the fact that we had 800 plus applications in our health system.

There's no way that all 800 of those were up to, uh, do you think that's something. I really think that we have to rethink how we have applications in healthcare, and I will tell you, I've had detailed discussions with the security teams at the two largest EMR vendors. Those security teams get it. So I think they know what they're doing.

I don't think the problems with Epic or Cerner, those teams are incredible and I can't say enough about them. Where I think the problem is all little different bespoke apps we create because they do things the EMR can't, and I think that the 21st Century Cures Act with fire APIs is furthering having.

More of the security issues because again, CURES Act has no teeth when it comes to abscess to our patient's data that's RIE over fire and also I'm asking health systems who are basically at the point of doing vulnerability scans right now to do detailed a detailed API security scans and do . Pretty sophisticated software development.

Again, that I don't expect many companies that are below the billion dollar revenue level or with the expertise of Epic or Cerner to be able to do. Yeah, it's interesting. So I'm gonna be the interview here and, and keep moving us forward. You mentioned that Cerner.

Great. Has cybersecurity got everyone's attention yet? Do the, do the CEOs and boards at most health systems recognize that we've gone beyond losing records and we're now at shutting down our health system? Potentially are. Has that gotten enough attention? I think, and again, I'm gonna cite Steve Long, who's the CEO of Hancock Regional?

Steve Long has made a, has pretty much made it his mission to tell people, you need to be worried about this. He's gone out, he's been open, he's talked about it. He is probably the only health system, CEOI know who has gone out and gone on record talking about the ransomware attack that his health system had a few years ago.

I don't think a lot of CEOs realized to the level that Steve Long does. Of what's going on. I think there's a lot of boards that are starting to realize it. I think that we need to make a big change with how we educate our boards very specifically by having more IT knowledge on them. I've written about this and I've done a lot of work with John Rigie over at the AHA about this because again.

We need to have them understand what the risk is because this isn't just about cybersecurity. It's about the way we procure products and services and how we manage them. Security, to me, is an outcome of how we manage, how we procure, and how we fund our projects. Good security is a good outcome of a good process or good processes, and I don't think a lot of CEOs get it at that level yet.

And I'll be blunt, a lot of boards don't and we need to improve that. Yeah. Well, boards are interesting to me 'cause I've. I've sat on boards, I've had to present to boards on cybersecurity and typically . What most boards do is they have that one person, right, the one person who's in technology, who can ask a series of questions.

Then everybody else in there sort of breathes the sigh of relief because that's the one person who, who they feel like is putting 'em through the paces, and in some cases it's a very knowledgeable person. In another case. It may not be as knowledgeable. They just might be a successful business person who happened to drive a technology company to a successful completion or even an exit.

And cybersecurity just in and of itself is a discipline that that has to be studied and learned just like any other discipline, I don't think it's something if understand that's.

Every time I sat down with someone like yourself or someone from one of the major consulting organizations or audit firms or whatever, they, they just educated me to death because it was just every time it was like, this is how they got into these systems. This is how they get into this system. This is, and I didn't realize how many different, how sophisticated their attacks were to get in.

And I thought, well, originally we thought if we build a big enough wall, they're not gonna get in. Then we, we realize, all right, they're gonna get in. And our biggest vulnerabilities are people, but once they're in, now we have to rethink our architect. I mean, this goes to the deepest level of everything we do in it.

And it's architecture, it's process, it's projects, it's governance around which applications we let in are not. And there's just so much to know and learn. So let's get constructive. Where do you start? If, if I just hired you for my health system, you came in, it's following a breach. We let go of the team for whatever reason.

Maybe it was an egregious breach of some kind. We bring you in. Where are you gonna start with this first thing you always do? At ground one. At ground zero is you always assess the risk that you have in an organization. No matter what you do, you start off, you interview people, you do a quantitative risk assessment because you have to understand what a real issues are, and you don't do it like.

In a bad way. You sit down, you talk with people, you understand what the environment is, you collect your information, and you do a detailed risk assessment because one of the big challenges you find in security is that the issues aren't where you think they are. You have to do deep analysis and deep research, and that's why I always start with doing that and doing a lot of it, because ultimately I have to be able to go to senior leadership and go, this is the analysis I did.

This is the process we followed. These are the results. This is how we've ranked it, and this is what we need to address first. Because ultimately what you're doing is you are pro, you're starting from ground zero. You are basically telling. Your leadership leader, this is the path we need to take forward.

I'm gonna need cooperation from your entire organization. These are the goals we have to meet as defined by the assessment, and these are the changes we're gonna have to make. And they're not just by a firewall anymore. It's now talking about process, working with teams, understanding what they do, and having them alter those processes.

And you have to be a lot more collaborative as well. A big issue I find in this industry, and I'm gonna be very blunt in calling this out, consultants who are very judgmental about these situations is, is that they don't understand the business, they don't take the time to understand the business. They don't take the time to understand needs of the customer.

Or the needs of the business, you have to do that first as part of your risk assessment before you do anything else. Because if you try putting anything in with security that doesn't meet the customer's needs or doesn't meet the business's needs, it will get thrown away. Yeah. They just won't do it.

Mm-Hmm, , it's interesting. Well, and that was part of what I was gonna ask you is, is, is that something that you would do yourself with your internal team, or is that something. You can rely on an outside firm that analysis. I, I think, because on one side you would say, Hey, we want an honest analysis, so we need to bring in somebody from the outside.

And that in some organizations that just happens to you, right? You've had a breach. Your internal auditor's gonna come through and do a, an exhaustive evaluation, and they're just gonna throw a report in front of you. But would you still do that yourself? Yes, yes, I would, and I would hire people internally that wear a badge that isn't the contractor badge.

The reason why you do something like this, it's because people aren't going to say things to outside consultants. The movie office space is the perfect metaphor. Why they don't wanna talk to the Bobs? Because if they say something bad to the Bobs, they're gonna not have a job. So, I mean, that's call it for what it's, yeah.

If you've got the badge, you're an employee, you're a team member. You show you have skin in the game and you're willing to work with them instead of being someone that gets parachuted in this to tell CEO, you did a bad job. You're gonna be more aptt to work with me and tell me how we can constructively improve.

I prefer to do things internally and not hire consultants for that reason, because I get more accurate answers because people aren't afraid of me. What's the most common gap that you find in in most healthcare systems, cyber programs, due diligence. I think that we make a lot of effort about protection from the outside world.

We make a lot of emphasis on. Selecting third parties, and I think the unintended consequence of SolarWinds has been that a significant amount of people offering third party vendor risk programs, took their marketing materials, added the word SolarWinds to them, and are making a lot of money off of CIOs that don't know any better.

And I'm calling again, I have to call it for what It's, I think that there's a lot of work that has to be done to enculturate security into the due diligence process and into operational management. I think we've run security as part of a separate track, too much. As part of it. And I think that's led to the detriments of systems not being as secure because each side assumes they're doing the right thing and yet they're not working together to ensure they are.

We're not at a point where we can operate separate tracks anymore. Security has to be more pervasive. That it ever was, and it needs a different type of professional than it did 15 to 20 years ago to make this work. And in nowhere is this more relevant than healthcare. I came in following a breach as the CIO, and one of the first things we did is we created a chief security officer who was my peer, and now I still had a security team within it because they did the operational stuff right.

Technologies.

Sort of an internal audit function. They were an enabler. They identified, they did the risk assessment, they addressed the board, and they really were more oversight for my operational team. They were absolutely oversight for my operational team, much more so than I was as the CIO. They were the ones who are sort of dictating.

Here are the priorities and here's where they're going. Do you think we need to get closer to that model? I'm not a proponent of either. I'm just sort of throwing it out there. Where the security is now is almost appear to the, to the CIO, because security needs to be that pervasive. I had this discussion with my old boss at Temple five years ago, and it was true then.

It's true now. Security is evolving as a function to be more. Throughout the organization than just within it. I will tell you half half my day is spent talking to legal and privacy and my customers. It is not spent talking with it as much as it used to, and a lot of the work you have to do with security now, it does not really involve it as much as it used to.

When we do our risk assessments, two thirds of the work is outside of it. So I look at security, I wouldn't, I mean, depending on the organization's structure and what and how it is structured, every organization is different. However, security needs to be in quasi-independent function within whatever organization it's in.

And I'm not gonna comment on organizational structure because every org is, every org is different. And I think a lot of people in security are too worried about where the position sits. Not what it does. Yeah. So how do you determine, this is the age old question, and I'm not sure I have an answer either.

So how do you determine the right amount of funding for a cyber program Is, is it based on the size of your health system, the number of employees, the number of applications, the number of, I don't know, endpoints, what's it based on? So I look at it as, again, you go back to your quantitative risk assessment.

You take a look at your risk management plan and you also take a look at your strategic plan. I actually think it's more a function of your long range strategic plan in it, more than it is any other factor. And the reason why I say this is because. I look at security as something that you now make part of every project and your internal processes.

So the amount of funding security gets needs to be commensurate with the ability to protect the assets, people, processes, and technologies that you're utilizing to facilitate the long range plan for the organization. I want a more concrete answer. You're killing me 'cause you know I, so I'm a 7 billion system.

Some applications through the cloud. We've got about 25,000 employees. We've got 16 actual hospitals. We're starting to do care in the home. We're starting to do IoT and that kind of stuff with the remote patient monitoring, uh, and even some monitoring within the four walls of the hospital. I mean, is there something concrete that you could latch onto to say, Hey, look, you're 7 billion, you should have 10% of your budget.

Cybersecurity, 5%, anything.

Oh, absolutely. And again, I can break it down. I'd say at least five to 10% of your budget needs to be focused on security and security measures. And more importantly, it needs to be built in. And I look at this more as a function of each project, and I look at it as you need to build it into the ROI of every major project you do that doesn't involve, that doesn't involve actual.

Building construction, and even then you build it into that. But it's, it has to be built in your financial models. And the biggest concern I have is not with security and fi and funding it, it isn't with the amount of funding security, five to 10%. You can actually do a lot with that. The concern that I have is that people build these huge, long-term projects and they, I've seen where ROI gets.

Cut to make a project look better to get a more higher percentage return on investment. So they'll go, uh, it already does security, and they'll cut out the security portion. They'll cut out the IT portion. To me, the biggest dangerous security these days is people cutting out the IT or security parts of ROI.

To juice the ROI. So we need to have leadership that says you're gonna have security as part, as part of your project costs. You're gonna have the proper operational staff as part of project costs. 'cause again, as I was telling someone else, the second you have a data breach, your ROI is go negative . Yes, they do e especially a ransomware attack.

You go on diversion for even a day and yeah, it. Mike, I, I get this question. Small rural health systems, can they keep pace with the sophistication of these attacks? I actually think it's possible. I mean, the issue is, is that you have to leverage, uh, leverage a bunch of the programs out there that are available now that.

They've actually loosened up the Stark Act a little bit. These organizations can receive donations from larger health systems of cybersecurity services. However, if you use some of the really good managed security services providers out there, I don't see any reason why a small to medium provider can have some of the big features that the larger ones have because.

Ultimately, you're going to have to move to that model, and with the move of most of our EMRs and most of our other critical services to the cloud, that actually makes it a lot easier as well because you're not having to put in for a funding request to get some gigantic IBM server to run your ERP system on.

Now it's a fixed cost. It's a lot more predictable, so you have to still do your clever financial management. But with the rise of MSPs, I think small to medium sized providers have a lot more options than they did a few years ago. What are the key staff, I'm, I'm trying to think how to ask this question.

What? What are the key roles that you have on a security team today? Within healthcare, what do you normally have on staff? Now? I understand you just talked about m Mss s you talked about service providers, you talked about others. And so every health system's gonna be a little different based on budget.

But let's, let's assume a, a decent sized health system. What's the makeup of the security staff? So you've got start where you're third party risk, because like you said, you talked about over 800 applications. Think about how many vendors you have overall providing goods and services. You have to have a good team working on third party risk.

You have to have a team dedicated to risk assessments, and not just hipaa, but also PCI. Because again, you take credit cards if, I don't care if you're a small community hospital in the middle of Nebraska or you are one of the larger health systems, you're gonna take credit cards and you have to make sure you maintain some degree of PCI compliance, or if not outsource it to someone that will and.

You really have to do that. You have to have a team with those risk assessments. You have to team have to deem with those vulnerability scanning, you have to have a good operational team that keeps your servers and services patched. And you have to have someone that checks up on your vendors to make sure that they're doing what they're supposed to be doing as well.

And you have to have a good incident response team, a really good service desk and good security operations to help configure and maintain the equipment that. . It's interesting when you talk about PCI, we always kept PCI with a separate vendor that was PCI compliant and all the things that that entailed.

But then we saw Target get killed by, uh, I mean get hacked at the vendor. And so you made the point of saying, we, we've gotta keep our vendors accountable, so we have to know how to at least hire or have the people do the right follow up audit on our vendors that are doing PCI. Work for us, uh, doing the credit card transactions and be able to do APCI audit on, on, on those people.

But gosh, the number of BAAs and, and whatnot, that team's, that team's gotta be running around with their head cut off and there's, there's a lot of work to do in that space. Absolutely. And a lot of the BAAs out there are very non-specific in terms of security requirements, because I learned one lesson back in my DOD days from a former Marine.

Which is no vendor. No application, no system will be a hundred percent compliant and anyone that tries to be will be bankrupt. What you wanna do is you have to do best effort to make sure that they are as compliant as humanly possible, which is difficult, and you have to work with them, and it's a lot more work to do so because a lot of these vendors, they're in a.

Period of understanding as well. They need to understand what to do because they're a lot like other health systems. They've been thrown into this. They don't wanna see patient safety events. They don't wanna see issues. They wanna make sure things get done. Their product is secure and their name stays out of a press.

Except for good things too. Yep, absolutely. Last two questions here. Any advancement, you're keeping an eye on detection or. You have your eye on and say, man, that that would be a significant move for us? Well, realistically I wanted to see some advancement in medical device security, so I did something that was a little bit different.

I do a lot of work with IEE when I'm not working for IU Health, and I've been working with a group that's a joint IEEE underwriter laboratory group. Which is P 29 33, which is trust, integrity, privacy, protection, safety and security for the internet of things. And we're actually working to help create that standard for the internet of medical things so that we can have more secure devices out there, more secure data interchange, and a better architecture.

I thought it was more important instead of having some product out there to collaborate with the vendors to. Get that architecture in place that we could use, and more importantly, have something that could be used internationally. Because a good chunk of the medical device vendors we use, they're not American corporations, they're based in Europe.

They're based all over the world, and we wanna make sure that we have the right architecture in place that they can use, that we can build off of. Because the biggest challenge I found is I didn't see. A lot of good architecture's, a place for building these secure systems. We have a lot of effort going on out there.

We have some great work. However, at the arch, if you can solve it at the architecture level, you can solve it at the engineering level, I believe you get a lot more traction than you would using other means. I've, I've started closing these interviews with, and a very, very open-ended question, which is, is there any question I didn't ask or any area I didn't cover that you're like, Hey.

This is probably something we should talk about. The community would really benefit from, uh, a conversation around that. So I'm really trying to think because we covered a lot of ground today and I think, uh, , we, we, we did, we absolutely did. I think that the biggest thing that we need to continue talking about more is not security as a discipline within in itself, however, security as it works with the rest of the delivery organization to, to ensure that.

And also integrating it more with privacy, because ultimately security is an incredibly good function. We do, we align with the mission and values. We love doing what we do. However, we need to have that quote unquote force multiplier to be able to be more effective. And that is working with our customers in more of a cross-disciplinary manner.

And I, that's something I've seen a lot of in healthcare with outside of is, and I'd like to see a lot more of it within is, and again, I look at people like Ed Marks as my model. For how I do this, because Ed did a lot of great work with this at Cleveland Clinic and I look at what he's done as the model for security and how security needs to evolve over the next few years.

Awesome. Hey Mitch, thanks for your time. We really did cover a lot of ground in these, you know, 35, 40 minutes. Uh, I really appreciate you, uh, sharing your wisdom and, and expertise with the community. Awesome. Thank you very much for the time, bill, and again, always great speaking with you. What a great discussion.

If you know of someone that might benefit from our channel, from these kinds of discussions, please forward them a note. Perhaps your team, your staff. I know if I were ACIO today, I would have every one of my team members listening to this show. It's it's conference level value every week. They can subscribe on our website this week, health.com, or they can go wherever you listen to podcasts.

Apple, Google. Overcast, which is what I use, uh, Spotify, Stitcher, you name it. We're out there. They can find us. Go ahead, subscribe today. Send a note to someone and have them subscribe as well. We wanna thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders.

Those are VMware, Hillrom, Starbridge advisors, Aruba and McAfee. Thanks for listening. That's all for now.

Contributors

Thank You to Our Show Sponsors

Our Shows

Today In Health IT with Bill Russell

Related Content

1 2 3 283
Healthcare Transformation Powered by Community

© Copyright 2024 Health Lyrics All rights reserved