Erik walked off stage on into our interview. We discuss M&A, Attack Surface and how events around the world must be taken into account with your cyber security strategy. I hope you enjoy.
All right. HIMS 2022. And we're here with Eric Decker with, , Intermountain health. Nice to, , nice to catch up with you. Last time I caught up with you. You were with another health system now you're with Intermountain.
Yeah, it was at the university of Chicago medicine. And, , just about a year ago, I transitioned over to, , inner mountain
Yeah. Working remote. Or did
you make the move? I actually live in Chicago, , and I, you know, this whole flex work remote, , model. We are 100% on the flex work pathway at inner mountain. So I'm staying in Chicago. , most of my team is actually in Utah, but they're also remote.
So you're choosing to live in Chicago.
I'm sorry to lose so many the St. Louis Cardinals fan. I we're done.
Are you a Cubs fan or although really? I don't care too much about baseball. It's
football is football. Well, yeah, I could, I could go with the bears, although when's the last time they won it was that, oh my gosh. That was a long time ago.
Sorry. I, , but we digress, , security. So you just get them off the panel. Cybersecurity. Yeah. , one of the last questions actually was of interest to me. Cause you guys just did a deal with SEL, so M and a is one of those things. That's very tricky for cybersecurity teams. How do you approach that in a very sensitive.
I mean, it's almost zero trust. Like you're right. We're trying to communicate, Hey, we trust each other. We tried to say, I, then the security teams get together and go, Hey, we don't trust each other. Let's
verify. Yeah. You know, it's, it's due diligence. Right. So there's, you know, being part of the process of due diligence is important.
, and there's stages of that, you know, between letter of intent and agreements and then, you know, final transaction closes. , but you know, I think if you're gonna think about the punch list of items and in every security. You know, we're thinking about this in the same way, you know, so all, all intentions are great, but the various types of assessments that you can run, , you know, looking at the existing risk assessments, looking at maturity models, , doing, , compromise assessments is a really good idea just to kind of see if there's any dwelling, bad actors that are out there looking at your attack surface, you know, so what is the perimeter look like?
And there's ways you can bring outside firms to do that for you. And those. Yeah. You know,
it's interesting because you talked about the different stages of the deal, because you'll typically have a letter of intent and really you don't get into each other's business all that much during a letter of intent, it's more like it's introductions.
It's getting to know each other. Right. And maybe coffee and like, Hey, what do you guys do? What do we do? When does it start to get a little bit more serious? ,
you know, it, after that, certainly, , coming up to. You know that what the agreement's going to look like, you know, but if from a cyber perspective, you've got to think about what our job is.
I mean, we're, we're here to ensure that there's nothing big and material that's, that's potentially going to cause a problem. Right. And so your, your engagements are going to be really focused around those things early on. And then it's about integration. Then it's about, you know, how do you adopt the same service platform and model and so forth and go
I was part of the, , , company, but we weren't small. We were 16 hospitals and we were being acquired by a much larger health system. And, , they were a little put off by the fact that we were like, Hey, we want to see your security, the acquired, looking at them saying, Hey, look, we have policies procedures on our end before we connect to you.
And they were sort of looking at us like, you know, we're, we're acquiring you. What are you, what do you think that, that, , the people dance is is, is not.
Yeah. And, and, you know, depending on the size of the deal and what you're talking about, if they have people, they don't have people. I mean, some of the smaller acquisitions that you do that might, might be like, if you have three, it people in the whole shop.
And so there that one's pretty, you know, rip and replace. , when you're dealing with like a merger, it's obviously both sides have capabilities and it's shown, you know, at the end of the day.
So over the last couple of weeks, we've had a heightened state of awareness. I sort of look at that and I sorta laugh because I haven't been, we've been on a heightened state of awareness for two years.
Yeah. Or is this
even a higher, I mean, it's, it's honestly got me nervous. , this is, you know, when I think about this in my, not in my role at inner mountain, per se, although certainly in it or mountain, , you know, but I'm also the chairman of the cyber working group, which is, , one of the health care is one of the 16 critical infrastructure is identified as part of the national infrastructure protection.
And so with this, you know, Russia, Ukraine, conflict, that's going on. The big, the big concern is collateral damage of a cyber right. Cyber attack and cyber war. And it, it already had happened in 2017 without pecho and it already had hidden back to the Homeland in that front. Now you always worry, right?
There's things come up and
get the messages. Yeah. Essentially the, the software's not that great. Well-written that it's just going to stay within the borders of the Ukraine. It'll it'll seep out. That's what we're worried about. Yes.
That's my primary concern. , but there's other issues. I mean, there's, there's, you know, ransomware groups in Russia, the same, they'll do retribution against anybody who Polis sanctions anonymous in the United States, as you know, declared war.
I mean, what happens when non state sponsored actors go at one another? What does that do? You know? I mean, this, this is a whole new territory, you know, in
my mind and it really, it really is a whole new territory. I mean, you can have, yeah, it's a whole new territory. When did the articles of war actually yeah.
In cyber space actually take effect. I'm not sure. I don't know, but yeah, but, but those are very real conversations. I mean, the, the, the, you know, it's very obvious where the bombs and missiles are falling in the physical world, but it's, it's not so obvious in the, , in the cyber world. That's right. , you know, it's, , I was noticing that, , Microsoft.
Pulled in. So Microsoft identified some software of some malware that was happening. They notified people within 24 hours. Actually, this is thing that sort of warms my heart is we're finding this stuff a lot quicker. They developed some software to counteract that very quickly, but then they were pulled in by the, the us government to be a part of.
And are we seeing more of that? , That industry, , you know, government.
Yeah. I mean, so there's yes. Is the answer, , is it perfect? We're never, who knows what the perfect state's going to look like at the end of the day, but the, , there are federal partners, there are industry partners. There are forms that, that, that we meet.
There are forums where we discuss the issues at hand. There's an exchange of information. There's again, there's opportunities. I think. For better sharing on some of the specific, you know, things that, that come up. , but the FA the very nature that we meet on a regular reoccurring basis, there's a new national cybersecurity director, you know, in the white house, who's taken a, , a distinct interest in us.
And so, I mean, Excellent.
Where are you going to find a additional talent in the cyber security space? It's it's tight, isn't it?
Yeah. So Intermountain has, , has opened up hiring nationwide, you know, so we're, we're looking, you know, just outside of Utah, which has been traditionally the, the place that we've gone.
, but also, you know, looking at bringing in removing education barriers, you know, education degrees and things like that from, from the job descriptions and going from on. , we're establishing apprenticeship programs, you know, working on experiential year long, , you know, a cohort that comes in and, ,
so college graduate, are there any specific degrees you look for and you say, yeah, we can make them a cybersecurity professional.
like, like if you got the talent, you can, you can do this. I mean, you kind of cell biology degree, you know, from, from my undergrad, I mean, my master's is in computer science, but, , I mean, lots of people would come up from lots of. Clinicians have come into cybersecurity. And that's actually a really, it's a really interesting take and cyber is not just technical either.
You have to think about that too. So there's risk there's service. There's, you know, , policy there's there's business offices, there's all of these, you know, disciplines that are inside of it, marketing branding. I mean, if you think about, you know, sort of how to engage and, and send a message. Yeah.
You know, as we get.
It's probably my closing question. We're coming up on time here. So, , as Intermountain gets bigger, does the, , does it get more challenging? I mean, does your attack surface actually grow or does it not really grow because it's a similar business across all those entities. I mean,
it, by its very nature, it grows because there's just more technology, you know, there's , depending on how you architect and all that kind of stuff, it can, the pathways can be different.
Yeah. I mean, there's, there's complexity in all of this complexity in digital and that's just the nature of healthcare and 📍 our job is to organize
it. Yeah. Fantastic. Eric. Thank you. Thank you.