This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Welcome to This Week Health Conference. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health, a set of channels and events dedicated to leveraging the power of community to propel healthcare forward. Today we have an interview in action from the Fall Conferences on the West Coast.

Here we go.

All right, here we are for another Interview in Action. I'm excited to be joined by Buddy Hickman. The Buddy Hickman. Is this your first time on the show?

Well, we may have talked one other time, but, wow, it's...

Somebody was asking me the other day, how many interviews have you done?

And I asked the team to look it up, 1, 600.

1, 600. Well, that explains if you can't remember one of them for

sure. Yeah, it's been, it's been, uh, it's been a good ride for five years. Buddy, give us an idea of the work that you're currently doing today.

Well, as you know, Bill I was a sitting Chief Information Officer for almost 25 years in the health sector.

Most of that time being spent in academic health. Science centers and systems and otherwise along the way spent about 11 years between two big four firms. I was at PwC early on and spent eight years at EMY, eventually admitted to the partnership at EMY. All my work, though, has been healthcare sector work.

I decided... Way back a long time ago coming out of school that I wanted to work in healthcare, and I've never strayed from that mission. Currently, I'm working with First Health Advisory. First Health Advisory is a A health focused, managed services and advisory firm whose work, generally speaking, is about cybersecurity, tech stack, and other things that you do to assure your organization with regards to those elements.

I served as the chief strategy officer with FIRST Health. And that, that can mean a lot of things.

Yeah. So, it's interesting. I was just. On a call with with David Ting, and we were talking some cybersecurity and we were talking about the numbers for this year, and the numbers are worse this year than they were last year, and last year it was a record over the previous year.

Is this trend just because the attacks are getting more sophisticated? Because we are spending more money in the cybersecurity area, I would think,

well, definitely the attacks are getting more sophisticated. I think they're also coming with greater frequency, and we could probably list a number of other things that are the whys.

I mean, uh, we all understand why the health record is valuable to others that may want to use it for nefarious purpose. Even the recent 23 and me hack. I don't know how much you've tracked that one, but that one's been interesting, as to all the speculation of things that could be occurring with that data, even to the intentions, perhaps, of targeting ethnic groups, so there, there are lots and lots of reasons that we're seeing this sort of attack vector directed toward the health industry. And David Ting's usually spot on about most of the things that he says, as

you

know. Yeah, he, it was it was pretty interesting conversation. We were really speculating over.

If we are going to be able to get in front of this. So if you're having conversations today with a health system and you're probably talking to health systems that are large and small, and maybe the strategies are, I mean, they have to protect against the same things, but the strategies might be a little different.

What are the best. What are health systems doing with regard to cybersecurity these

days? Well, most of them would have in place some sort of a framework that they're following. To assess themselves, maybe we'll look to a third party to do that assessment. Some do the assessment internally, but by framework assessment, first, I mean, a maturity model type framework assessment.

Examples of that would be the NIST cyber security framework, the HHS. 405D framework. There are also framework tools from the Center of Internet Security. You can even be talking about ISO and GDPR, if those things are relevant to you. And even finally, Health Trust. But the Other things I would add to that would be in addition to maturity models, technical testing, an example might be penetration testing, other forms of testing like social engineering, more mature organizations usually.

generate a number of things whereby they are validating that their position is secure, or as best as secure can be, from a zero day type attack. I'd also add to that thought that, the tabletop exercise of five years ago is not the tabletop exercise today. Tabletop exercises should contemplate Any number of scenarios, but certainly the extreme scenarios of how do you keep the organization standing up and running continuously should you be out of the water?

I believe John Rigi in his comments just Probably two to three months ago at the HIMSS Cybersecurity Symposium over in Boston, he offered that all of us should be thinking about the time when we will see a significant enough threat that we have to be able to run our integrated delivery network for four weeks.

With no systems. In fact, he challenged the question by extending it to say, and oh, by the way, it could be a regional event that you're facing. So all those friends and neighbors that you've depended on for patient diversion and for lending a hand may also be down. so, I mean, the way that we think about it in the extremes these days would be that's for an event and having preparation.

To address it accordingly. So you ask about the best systems are doing those kinds of things and really looking out the further reaches of the maturity models.

Yeah I did an interview of Skylake's medical center just after their breach. And 1 of the things he said, which, which cracked me up was like.

We didn't have enough paper, we didn't have enough pens, like, it's just the, I mean, when you go to the extremes, even the basics, the mundane that you just, you just don't think about, it's like, we're going to have to be on paper, and it's not like they didn't have enough paper for this week, or enough pens for this week, but it lasted, as you say, it lasted for four, a little over four weeks.

for Skylake's Medical Center.

Yeah, I found myself wondering the other day, I was in a conversation with a couple of people at the Triumphal Forum about sort of the early pioneers and all the things that they talked about getting rid of, and I wondered maybe, Bill if we could you know, dredge up some old addressograph machines?

Those also might be useful in a downtime.

Yeah you and I were at a 229 project meeting together with some CISOs. seem to really focus in on third party risk being one of those areas that is is really top of mind for them today. If we're seeing anything, we're seeing this rise in attacks that are going for, let's say, like a revenue cycle company that, if they get into one health system, they got into one health system.

But if they get into that rev cycle company that works with 15 or 20 even health systems, they can actually breach. 10, 15, 20 health systems by just going into that one that one area. Talk a little bit about third party risk. How are we thinking about that? How are we approaching that these days?

You gave a spot on example of concern. And if you think of some of the historic breaches that where a third party was profound, and I always echo back to the Target breach from a few years ago. breach occurred due to a third party, I think it was a refrigeration supply chain vendor that was breached.

The, all the electronic management of the refrigeration units, they were accessed, because they were also inventory management tools, and it was crawling, through those networks and then through those segments right into the target network because that breach occurred. So, your question is how should we be thinking about it?

Got to think about it acutely, obviously, and remember every single day that. Anything that we are network connected to and any party whereby we are sharing data has to be a part of the cybersecurity

ecosystem. 📍   📍 We want to thank you for a wonderful year. As you know, we have celebrated our five year anniversary at This Week Health, and we are going to enter our sixth year of doing this. And we set out a goal to raise 50, 000 for childhood cancer this year, and you did not disappoint. We have raised close to 60, 000 this year for childhood cancer, and we really appreciate you.

We appreciate you. The community coming together. And we hope to do more of this next year. We hope that you'll join us. 📍 📍  it's gotten to be very difficult to, when we think about how far out, I mean, the two aspects you just gave us, how far out our data has gone, and we do need to manage that really well.

I mean. Most contracts I got as a CIO, and probably you got for these third parties, it was like, yeah, just give us access to this system. And, a decade ago, we wouldn't think anything of it. We'd just be like, all right, yeah, they need access to that system. But today we're much more specific, right?

We're saying, okay, what information do you actually need? To do your job. And we're starting to tighten that up. But the other is those third party control systems and whatnot, and literally they can get in through the air conditioner and be on the network and start sniffing around. I mean, these.

Are sophisticated , they're sophisticated and difficult problems to to manage and

address. I think about the HHS 4 0 5 D framework and all the work done with regards to the health industry cybersecurity practices, of the five. key threats. In fact, let me pause and say the five key threats because they're the ones that occur with most frequency and will have most impact.

One of those is attacks on network connected medical devices. All right. Well, let's take that thought that you just shared and expand it because in addition to network connected medical devices, And of course, all those things that we already considered IT, anything and everything that's operational technologies are also at play.

And too many times these days, you still find that the operational technologies may reside within another reporting structure, and those are. Also, subject to concern you mentioned HVAC. I think it was three weeks ago we saw Johnson Controls in the media because of some circumstances that they were facing.

I think everybody went to high alert in case there was a breach that could be affecting on a healthcare organization. Imagine that. Imagine not being able to cool down the ORs to the temperature. You have to bring it to be able to perform a surgery. Imagine the reversal or inability to manage a negative flow for infection control purposes in a patient room, whether it be for COVID or other aerobic bacterial concerns.

I mean, all of these things are at hand now and everything in the ecosystem, again, has to be considered.

Yeah, there's uh, I think two, two directions I want to take. Last two questions. One I won't, I want to talk about labor and how cybersecurity labor has been impacted over the last couple of years and what organizations are doing.

And I assume some of that leads to the work that you're currently doing. But before we get there, I want to talk, one of the conversations at the 229 CISO event was this whole idea of. response of almost being able to rebuild your network from the ground up rapidly, seemed to be a pretty pervasive concept.

Now it's like, it's not if, but when, and when it happens, you need to be able to from start to finish, be able to rebuild that thing in a matter of, it shouldn't be months or over four weeks to a month that you're out, it should be. Hours or days and you're back up and running from nothing.

And are you finding that trend to be pervasive around the industry? I know that it was a common perception amongst those 10 to 12 CISOs, but I'm wondering if that's pervasive across all of healthcare.

Bill, your 10 were... Top end 10 to 12 CISOs at your event for sure. the dialogue as you saw represented many leading practices that each one of them were, leading or seeking to lead at home, the idea of managing a network circumstance so that.

You can recover it in a very short period of time. It's no simple task, and that resides on the IT side of the shop, generally with the infrastructure team. There certainly are folks that are beginning to move to networking as a service is one way to get there but I think less than more.

In the health sector still, and similarly I still believe that there is significant provider organization space where that ability to do that recovery is just not there. organizations just may not have the wherewithal to continually. Image and document everything of the network circumstance with the kind of precision you have to do that with to be able to create that recovery.

Notwithstanding, the other challenge is supply chain. cAn you get the network appliances that you need as quickly as you need them to make, model and manufacture to recover those pristine images to and stand them up. So, having that plan documented. So that you understand the exercise of getting there is the first step.

That will cause you to uncover the problems that are going to slow you down when you actually had to commit to

it. Talk to me a little bit about the services of FIRST Health Advisory. I know a lot of organizations are starting to lean more heavily on managed service providers and even some selective outsourcing of different types of activities.

I'm curious when you're called in, there's probably a consulting component, but there's also that managed component. What kind of services would you offer a health care organization?

Well, pretty much anything on that spectrum of, we've got several words to describe it, but I'll use the word assurance because assurance would address matters of performance, resiliency and hardening.

The circumstance being secure having a proper architecture and so on. Then carry that idea into the, we'll call it the architectural stack, as well as across all things cyber security and that ecosystem. Whether it is advisory on the front end addressing matters of governance be it digital governance and then how the digital and IT governance spans to cyber security and risk.

Whatever those governance matters are, we find ourselves involved in those conversations. Sometimes we might find ourselves in an advisory role as to thinking through cyber security. Policy framework from an insurance coverage standpoint. advisory also, Bill, of course, includes all of those frameworks that you heard me taking off earlier.

And yet, those are points of entry not only for our firm, but for anybody that wants to do this kind of work as a provider. You need to do the framework assessments to truly understand your own circumstance, your own heat map. the risks that you're carrying by risk scoring, and then have a roadmap to follow.

And generally, First Health Advisory can support anything on that roadmap both in terms of standing up and delivering, even supporting, and then even in the form of managed services, if managed services are needed. Sometimes those managed services are us doing the delivery. We certainly give care to managed services specifically where people need virtual CISOs, virtual CTOs.

We also, have a significant clinical and operational technologies practice whereby that team is capable of delivering the solid managed services. And beyond that, we have an ecosystem of vendor partners, and by partners, I mean vendors whereby we have signed agreements and can cooperate a solution agnostically, if preferred by the client.

And specifically if there is a preference, because we can point to, the upside and the downside of many of those partners as well for a given circumstance. So, in the end, I'd say we're a full service provider of anything in the cybersecurity tech space.

Well, fantastic. I appreciate you.

Showing people that there is life after being a CIO. I think that's the thing we have in common. We're both living demonstrations of that. I love the fact that, you spent the time in the big four doing all that consulting as well as the CIO role. And it does, I mean, you literally can go in a lot of directions post sitting in the chair for a long period of time.

I mean, there's interim roles and you did a couple of interim roles, if I remember

correctly. That's correct. Yes, I did. I, spent some time at Harris Health System in Houston and had a great time working with that team there. And I'd say. And even more unique and grand time out at San Yid Health in San Diego.

My first experience working in an fq and in that particular case, a very, very successful large FQ serving a very diverse population. That was a great learning experience for me. But Bill, you're the same way. I get to pay the compliment back. I mean, you guys stood in this role and been on the line for a long time and it's wonderful to see how you've, made a transformational shift and are using your platform to have so many voices

sound. Yeah. Do you find you sleep better at night now?

I sleep more at night. We can say that, right? A little less stress.

I tell you what, man, I, because we've been in the chair, have the utmost empathy and want to support the CIOs any way we possibly can because it is such a.

Such a challenging role and I'm not sure it's getting any easier. The pace of change is continuing to increase sophistication of attacks. I mean, it's a it's a challenging role. Hopefully we can both continue to support the CIOs as we move forward.

That's the most fun that we have.

Yes. Absolutely.

Hey, buddy, thank you for your time. Really appreciate it.

Bill, it's always a pleasure to see you. Thanks for sharing with me today.

Another great interview. I want to thank everybody who spent time with us at the conference. I love hearing from people on the front lines. It is phenomenal that you shared your wisdom and experience with the community and we greatly appreciate it. We also want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders.

They are CDW, Rubrik, Sectra, and Trellix. Thanks for listening. That's all for now.