November 18, 2022: Why is cybersecurity still so complex? What is the 1/10/60 minute challenge and how does it help to stop breaches? Drex DeFord, Executive Healthcare Strategist at CrowdStrike brings 20 years of military skills to the healthcare cybersecurity table. The attacks are getting faster and faster. The bad guys only have to be right once but we have to be right all the time. What can we do to become even more sophisticated in our cybersecurity best practices? What happens when a long-term hospital CEO retires? How does it affect clinical care? Business operations? What about culture? What can be done to smooth out the transition?
Sign up for our webinar: How to Modernize Your Data Platform in Healthcare: The Right Fit for Every Unique Health System - Wednesday December 7 2022: 1pm ET / 10am PT.
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Today on This Week Health.
The E-crime syndicates that are involved in this are able to make so much money and take very little risk in actually being arrested or going to jail. It's a very lucrative business and very lucrative businesses in the free market, even in the criminal world get more money, get more investment, get people who want to be involved in the sort of cutting edge, bleeding edge high tech. And that's what a lot of the adversaries are today. They're high tech companies with CEOs and CFOs. They have bonus programs, they have employee of the month programs. Literally they have all the kinds of things that big companies have, they have all kinds of alliances with negotiators for ransom and all those things.
Thanks for joining us on This Week Health Keynote. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health, a channel dedicated to keeping health IT staff current and engaged. Special thanks to our Keynote show sponsors Sirius Healthcare, VMware, Transcarent, Press Ganey, Semperis and Veritas for choosing to invest in our mission to develop the next generation of health 📍 leaders.
All right. Here we are. We're gonna do a keynote episode from the Chime Fall Forum with Drta Ford. You know the keynote listeners probably aren't as familiar, although they are cuz everybody knows, directs Ford. So directs for with CrowdStrike, you are
I'm executive healthcare strategist at CrowdStrike and I'm a long time healthcare CIO from the US Air Force and Scripps and Seattle Children's and Steward. And yeah, somehow magically wound up at CrowdStrike doing cybersecurity in the right place at the right time.
We will end up talking about some of that stuff. Okay. This is a little longer format. We usually do the Newsday show. It's kind of, it's kind of boom, boom, boom. 30 minutes. And we have the backdrop of the conversation is really the news stories. And we are gonna talk about Senator Warner a little bit.
I'm sorry. Okay. I can't help myself, but we are gonna talk about this stuff, but I think we're at the chime fall forum, and. Great to get back together with a lot of our peers. And as you say you walk five feet, you see somebody. In fact, we see a bunch of our peers walking behind right now.
Yep. And and one of the things I wanted to talk to you about was career progression. You just rattled off a number of health systems that you were with. And before that, the military, you were in the Air Air Force. Air Force, yep. I was talking to somebody today about when you came into Chime and you came into a bootcamp and that kind of stuff, and I immediately asked the person how old they were, but because how long, so you were in the Air Force and how did you get into healthcare specifically?
Yeah. So I spent 20 years and 21 days in the Air Force before I retired, and I never intended to stay other than the first sort of four year tour that I signed up for. So I was an enlisted guy and I enlisted in the Air Force. I tested into an information technology career field, and so I got some experience doing that.
I was stationed in Dakota Airbase, Japan, outside of Tokyo. And we tracked all the cargo and passengers transiting the Pacific using old paper deck cards. You remember those old punch cards. And so I, I sort of have this background in technology as an enlisted guy. Went to school at night, finished my degree, and when the Air Force offered me a commission as a Medical Service Corps officer, a hospital adminis.
And so I thought, Well, I'll do that for three more years. It'll gimme some good experience management wise, and then I'll get out. But then I've sort of found out myself in this weird situation of being like the hospital administrator who knows something about it. And as it continued to grow and expand over time.
in the Air Force medical world in many ways ahead of what was happening in the civilian world, cuz we were deploying electronic health records really early. I kept getting good, cool, interesting jobs and so I went from a small hospital to the Air Force's School of Healthcare Sciences is the Deputy cio, and then the Air Force sent me to the University of Alabama Birmingham to get a master's in Health informatics.
And then I took over one of the regions, So I had 14 hospitals across the Southern US and David Grant Medical Center, one of our largest medical centers in the Air Force is a cio. And then I went to DC as the Chief Technology Officer for Air Force House Worldwide Operations with 80 plus facilities around the world.
Some of them getting shot at on a daily basis. So, A really interesting kind of crazy career. I never intended for it to happen, but like good opportunities kept coming along, and so I kept taking advantage of those opportunities. And then 20 years came and it was like, No kidding, this time I'm going to get out.
And because I really had reached the retirement point and there were other things I wanted to do, and I was lucky enough to be offered the job at Scripps Health as the cio. So that was kind of my first transition.
Oh. So right out of the military? Into Scripps?
Into Scripps. And I I think there were a lot of folks who probably at the time, maybe even including me, it was a little bit of like maybe I'm in over my head here. Like, have I jumped in at a really hard spot. The ceo, there was a former police officer, Chris Van Gorder, and I think there was something that happened in our interview process that we made a military paramilitary kind of connection, right?
And he was like, I think this guy actually can help us because, We talked a lot about process and process improvement and discipline and those kinds of things. And I, it was for him, I think it was one of those things that maybe he felt scripts needed at the time. And so I was lucky enough to be offered the job and I jumped at the chance.
When did you get involved with chime?
I got involved with Chime when I was still in the Air Force, so probably five or six years before I retired. So it would've been 1999. I. When I attended my first chime and we have all kinds of funny people walking by , making faces and whatnot. Yes. Yeah.
Making faces at me. Yeah, so it was 1999. I came to my first chime. Obviously I'd been involved in a lot of stuff association wise at Chime, I've been on the membership committee. I've been on the fall forum planning committee. I've done like probably all the committees.
But 99, you come in. As some of these people that say first time member.
What was that like in 99? Did you go to a bootcamp? Did you just
No, no, I just came to the, I came to the event, I don't think boot camps existed in 99 and it was a much smaller conference. Right. There were probably a grand total of 500 people. And so, and everybody was very welcome. I mean, I was a Air Force guy. There weren't only maybe three or four Air Force guys or even military guys in Chime at the time. But everybody was really open armed shake hands. How you doing? Did you, your uniform to that? I don't think I wore my uniform.
I think it was one of those opportunities to kind of blend in with the civilians and. Kind of ruckus by standing out, right? So I think I came in civilian clothes and yeah, it was a great group. And
well, one of the things I want to do is I want to Anthony Grower walking past here. But one of the things I want to do is I wanna talk about career change.
It's one of the topics I can't really have with a lot of the CIOs I'm talking. Tell me about are you looking for a new job? But you and I have been through a fair number of career transitions and I, I just wanna back, go back and forth a little bit. I mean, 20 years in the military, obviously very stable, but that's almost paid job, Ho.
You mentioned, I mean, you went from job to job to job to job. Yeah. Yeah. And each one, I mean, you end up in a global kind of role. Yeah. Yep. This is why I like hiring military people. Only in the military do you go, it's like, how old are you? I'm 35 years old. What have you done? It's like, Well, I've, I've managed a global thing of hospitals with some being shot at
and you think I was 42 years old when I retired. Yeah. And I had done all that stuff and I had been in Desert Shield Desert Storm, and run an air transportable hospital and hauled it into the theater and out of the theater on C 1 41 s. And then I'd been back 10 years later to do operations, Southern Watch, No Fly Zone enforce. Running a multinational hospital in Saudi Arabia.
So, I mean, it was, it's, I'm a farm kid from Indiana. By all rights, I probably should be mining coal in Indiana, but I just have had this crazy set of opportunities that have kind of put me where I am today.
But you get outta 42, you're doing this now. You step into scripts. Scripts is a a well respected large IDN in San Diego. I don't know if they were as big then as they are now. But they really haven't gone too far outside,
no. Revenue wise. Much larger now, but size wise, number of hospitals, they've added clinics they've grown the ambulatory side of the house and a lot of specialty care kinds of things. But they've done a, they've done a San Diego County kind of strategy, right.
Yeah. It's it's interest. But you step into that first post-military CIO role. I will tell you here's my story from that, I step into the CIO role at St. Joe's. Now I've been a CIO elsewhere and that kinda stuff, but never in healthcare.
So I come in. And here's how the story goes. Friday morning, we found a church. I start going to church. These guys invite me to the Bible study. I sit in the Bible study and then I'm like three or four weeks into the job actually. And at the end I go, Hey, is there anything we can pray for?
This is where you say, Yeah, I'm like, somebody's sick. That kinda stuff. I'm like, You can pray for my job. I have no idea what I'm. I am way in over my head. This is so complex and I, I say that to say to people, it's like, it's okay. And you do need a support group because there's, and you do need peers and a support group that go, Yeah, hey, I think I'm in and over my head.
It's like, well, where over your head? And you start to wrap it out and some of your peers will just look at and you go, You've got this. Yeah. Break the problem down. Those kind of things. I mean, talk about your first couple of days in that role of where you were looking at it going. I mean, cuz you've done some major things at this point.
Yeah, yeah. Well, so I think for me, what I realized pretty quickly that was that civilian healthcare wasn't actually significantly different from military healthcare except the vendors might have been different and the products that we ran may have been different, but the problems like the root cause problems.
Inability to make decisions about governance and prioritization and stick to them. Doctors are doctors and surgeons, and particularly our surgeons. And you have to figure out how you work with them and not get frustrated by them. You have to build relationships. There are presidents at each of the hospitals, just like there were commanders at each of the hospitals. So there really, it was just. Analogy of a lot of the same work that I'd been doing. I was just in a civilian healthcare system.
You're in this, I would think in the military, it's very top down. Yeah. Here's the orders, here's what we're gonna do, here's Yeah. I'm sure when you get the scripts, it isn't like, Hey, here's the, it's not top down.
Yeah. And I think that is a mistaken belief about how military medicine runs, is that there's not, while there may be orders at the top. There's still very much a conversation. You have to remember too, that in military healthcare, a lot of the players, a lot of the physicians particularly, but others too, may come in with significant rank because of their experience and their career.
So they may come into the military as a lieutenant colonel or a major, or a colonel, so, They don't, they're not, they don't love the whole top down thing. They still want to be part of the conversation and understand how it works. And so military medicine is different in a lot of ways from the pure military, the line side of the Air Force or any of the, any of the services.
📍 📍 All right. We'll get back to our show in just a minute. We have a webinar coming up on December 7th, and I'm looking forward to that webinar. It is on how to modernize the data platform within healthcare, the modern data platform within healthcare. And I'm really looking forward to the conversation. We just recorded five pre episodes for that. And so they're gonna air on Tuesday and Thursdays leading up to the episode. And we have great conversation about the different aspects, different use cases around the modern data platform and how agility becomes so key and data quality and all those things. So great conversation. Looking forward to that. Wednesday, December 7th at one o'clock. Love to have you join us. We're gonna have health system leaders from Memorial Care and others. CDW is going to have some of their experts on this show as well. So check that out. You can go to our website thisweekhealth.com, top right hand corner. You'll see the upcoming webinars. Love to have you be a part of it. If you have a question coming into it, one of the things we do is we collect the questions in the signup form because we want to make sure that we incorporate that into the discussion. So hope to see you there. Now, back to the show.
📍 📍 Have you moved for jobs? Well clearly you've moved for jobs.
Yeah. Oh yeah. Yeah. For. Well, I went from Scripps Health to Seattle Children's and then Seattle Children's to,
And so you picked up and moved the family to family.
Okay. Yeah. Picked up and then from Seattle Children's to Stewart Healthcare, which at the time was headquartered in Boston. And and so part of this, I think if you think about your career and changing careers or train transitioning jobs, you. I, I tell this to a lot of folks who ask me this question like, Great career.
How did you plan that all out? The reality is I never had a plan for any of this, and a lot of it sort of boiled down to I had criteria for things that I wanted and that I felt like I needed in a job, and then I used that criteria to measure any opportunities that came. And there's a lot of just like, do a really good job in the job that you're in right now, and people will notice and they will offer you other opportunities, and then you have to use that criteria to kind of decide whether or not that's something you want to take advantage of.
What was the catalyst to leave a job in the civilian world? What was the catalyst? I mean you could talk about this now, that's what I'm saying.
Yeah. No, it's. it never came down to being kind of personality based or not liking my boss or any of that. There was
although that is, that is the number one reason that people leave.
For sure, and I was, I even in the Air Force, I sort of felt like I was a turnaround guy. And I got into that mode of like, let's send him here. He'll fix that in two and a half years. We'll move him to another place and he can fix that in three years.
We'll move him to another place. You get kind of addicted to it. Fix that. And so when I went to Scripps, I was there for two and a half years or something. And by the time I got to the two year point, I was really starting to think like I have fixed all the things that I can fix quickly here. And if I I'm making a commitment to like a long haul repair job if I stay for a long time. But other opportunities came and one of those was a Seattle Children's, a Toyota production system, healthcare organization. I was very into Toyota Production system. I loved Lean. I've lived in Japan for three and a half years.
I liked that whole model of how they prioritize and how they do continuous performance. It was a children's hospital. One of the things I always wanted to do was go to to a pediatric hospital. So that was in my decision criteria. It was an academic medical center. I always wanted to be okay, is there some way I can do academics?
And I was also the CIO of not only the hospital, but the Seattle Children's Research Institute. So I had a research institute opportunity too. It was kind of like a whole bunch of things rolled into one great opportunity. I almost get kind of chills thinking about it. I remember when I got the call and my first reaction was like, I don't know, I'm pretty set here.
And I got a, I ultimately got a call from one of my mentors who was involved in Seattle Children's who said, Go up there and just give them a day and do an interview. Just go up there. I think if you talk to these guys, you'll like it. And that is exactly what happened. I wound up taking a ding, going up and doing the interviews and like I was, I was in.
Do you recommend that people take the I.
I think if you do a quick interview, like , the first, it's like a, it's like a first date it's like speed dating. In some cases, depending on how they set up the interview, you may go and talk to the ceo or the CEO and the chief operating officer, but if you have some control over that first, I.
Ask him if you can spend time with the CEO and the coo, the cfo. You wanna talk to the Chief medical officer and the cmio, and you probably want to see if you can talk to a couple of the leaders in the IT or information services department. And if you can, that's a real speed date and you can leave at the end of that day because one of your criteria, one of my criteria was always, do I really think I can work with these?
Like, are these people gonna be good teammates? Can I be a good teammate to them given what it is I think they need? Yeah. Based on that initial interview process. And if the answer to that is like, No, cause, and I'm gonna say something here, you're maybe we'll have to bleep, but I mean, I've kind of always believed in this No asshole rule.
Oh no, absolutely. When I go through that interview processes, one of the things I'm looking for is, is there an asshole in the executive? Or do they have a tolerance for allowing assholes to operate inside this organization? So if I can see that that's not the case, then I'm more likely to come back to a second dive in, really do some homework and research and kind of see what's going on.
It's interesting cuz when I left St. Joe's, I, I went into a large health system and they said they wanted somebody interim to do a turnaround. And that's sort of thought process too. I, I love doing turnarounds. It's I dunno. I just love doing 'em. Yeah. So, yeah. Yeah. Take things, break 'em down, create the structure and build it back up.
and I, I interviewed with the cfo, the ceo the CIO had left and they sort of gave me the rationale and whatnot. I walked out of that. I called the firm. I said, I will not take this job. . I'm like, even if they ask, I will not take this job. Yeah. And they're like, Well, why not? I'm like what I said is, I'm not really a good fit for this.
Yeah. I was a perfect fit for this. But the culture, Yeah. The people I interviewed, I'm like, They're not gonna let me be successful. There's a reason the last CIO's not here and there's a reason it's a mess. And it wasn't the cio Right. It's the two people I interviewed with.
And those are a lot of the things in that interview process. Like they're gonna ask you questions and you want the job, and you're gonna answer those questions, but it's really important that you ask a lot of questions because of it. Things exactly like that, right? You're interviewing them as much as you're right. I, I need to understand, are you really willing to make a commitment?
To turn around the department because they'll tell you, I mean, if you can get into a good conversation, they will bar fall over you. All the things were wrong with the, with the department and all of the organizational structure and people they don't like and all of those things. But now you gotta sort of like spin the whole thing around and ask, Look, it's, it can't just be a department of complaints.
You have to gimme the power and the resources and the things that I need to be able to turn it around and make it better. And then even then, when they say yes, they don't, sometimes they don't really mean it. Right. You, you have to sort of do your. It's mind meld and like figure out do they, are they really making a commitment? Are they really agreeing to do that?
I mean, one of the conversations is with the cfo and you wanna make sure the cfo understands what it takes to run it. And so you get as much information as you possibly can, and you sit down with the CFO and you're saying, All right, what's the annual budget?
What percentage of revenue, what percentage of operating income is. What are you trying to support? How many users do we have that, and you sort of mapping, you're talking in their terms in numbers and go, Well, you realize, and you should know some of these numbers.
You realize where you guys fall on this that percentage of, of percent of revenue or something. Yeah. Is, is you're spending a lot lower than other systems. Why do you think that is? Do you think it's are you guys more efficient in some way? Is there, is there an approach to it that you've taken?
I mean, I would throw it back on them. Why do you think we can spend less money than everybody else? Are we that much better? And just ask the questions. And if the CFO says, Hey, you know what, no one's ever asked for more money, then you can ask the question of, Well, if this is gonna take one or 2% more, are we gonna be able to carve that off of the budget?
And invariably you want to have some, you're not gonna have the complete conversation then, cuz you're probably only gonna get an hour, hour and a half with the cfo. But you want to get an idea of what it's like to sit across from the CFO and have the conversation. Mm-hmm. Because you're gonna have that conversation a lot.
This is the whole like figuring out can you work with the person in an hour If you can have a good conversation with the CFO or any of those executive. And feel like there was a real give and take and they weren't holding back on you like and they were okay with you asking them hard questions like that is a lot of like, Okay, I think I can work with that person. Yeah. And sometimes not, Sometimes you're like, that I'm really awkward with them and that may be enough reason to disqualify myself from this job.
📍 📍 Conference season is upon us and our this week, health team and I will be at the Chime Fall forum celebrating their 30th year in San Antonio. And we're also gonna be at the HLTH conference, HLTH in Las Vegas the following week. While at these events, we're gonna be recording our favorite show on the road, which is interviews in action. And as you know, what we do is we grab leaders from health systems, healthcare leaders from across the country. And we capture 10 to 15 minute conversations with them to hear what's going on, what they're excited about, what are their priorities, and those kinds of things. It's a great way for you to catch up very quickly on what other health systems are thinking and doing across the industry. We actually air this on the community channel this week, Health Community. It's the green one. So if you go out onto your podcast listener of choice and do a search. This channel is also where community members like yourselves have been invited to do interviews of their peers. So check those out as well. You can subscribe wherever you listen to podcasts. Look forward to catching you on our interviews and action. 📍 📍
Seattle children's, you take that role, a lot of opportunity, a lot of different things that you hadn't had before. And but eventually you leave there. So how could you leave the perfect job?
I know, and it really was a terrific job. A new ceo, Tom Hanson had come to Seattle Children's. They were in the process of just in the first year, starting to revamp the whole organ structure and what they were doing. How long were you there? Four and a half years.
Wow, that's long. Yeah. But when Tom decided to retire, that was my decision to start exploring other opportunity. Actually exploring out the other opportunities always came, but it was the first time that I sort of said This may be a good time for me to, to think about a transition because you never know.
You get a new ceo, that person wants to bring in their own person. They may come in and upset the apple cart in other ways. You're really used to working with this. Unfortunately, Tom wasn't going to another healthcare organization, or I had the kind of connection with him that I might have really considered possibly following him to, to another place
that that is a common career progression. Yeah, for sure. And also the other thing you just mentioned is a common career progression. The the CEO changes. Yeah. Some event happens and then you're sitting there going Do I want to sit. Coz there's Uncertainty that's created through that whole process. And it's not pleasant for anybody
throughout the whole organization.
Absolutely. Yeah. And I mean, I think a good reason for thoughtful planning. What are you gonna do? How's this transition gonna happen? Figure a lot of that stuff out and then talk about it. This is how it's gonna happen, this is how it's gonna work. Be transparent about it so that everybody Look, if you don't give people information as well as if you don't give people information, people will make up information.
Yes. Right. They will. The rumor mill will start and it starts to impact everything. Clinical care, business operations, research operations. People are spending time wondering what the real story is instead of actually doing their work. If you give them the real story, just like be really transparent about it, then people are like, Oh, okay.
That totally makes sense. Like Tom's just ready to retire. We're gonna do a search and we're gonna find this person by this date, and here's the kind of person we're looking for, and we'll keep you up to date on the interview process and how it's going. Yeah. I think that really takes a lot of the stress out of an organization to kind of go, Okay, we have a methodical, well planned process to go through this and
talk about the standing up. What was it? Was it called Dexo? No. Drex. Uhhuh. Drio Dexo. That was the name of the company.
Drio Digital health, or Drio Innovations Network.
So everybody wants to hang out their own shingle. They're like, Oh, I'll leave and I'll do this thing. I mean, I, I've heard it at least three time. Three or four times here.
Yeah. Already today. It's like, Oh yeah, I'm, I'm gonna do consulting. And generally people are successful. There's a lot of, If you have the experience, they're generally successful. Yeah. But what are some of the pitfalls of starting your own thing,
man. So I think when I first, when I left,
because you're well liked everybody, everybody wants to work with Rex, so everybody just assumes like, Oh, this is just wildly successful. But running your own business is a different set of skills all altogether as well.
It is, and I I would just kind of say I really sort of made a decision for some other personal reasons that were happening that I needed. Take a beat take a breath and think about what I really wanted to do with my life at a particular point before, before I started Drex.
Was this a midlife crisis?
It was actually tied to a, a very close friend of mine passing away. Yeah. And some conversations that we had at the end of her life that really caused me to think about what the hell it was that I was actually doing with. And so I took some time and just like took, took a breath.
But literally within the first month, people started calling me, Hey, I heard you're kind of like taking a little break. Like maybe you can do some work with us or help us with this, or help us with that, or come to work for us. And there was a lot for me at that point. Like, I don't know that I want to get into something right now that I can't really commit to, so I need.
Give me, gimme a little bit of time, but literally within about three months I was kind of like, there were enough calls. I was like, maybe I can just actually take some time off and have some good work life balance, but still work, but do it just in little bitty pieces where I can help people with just special projects or little things like that.
So I did the llc, but what you realize after kind of in that first year of having the LLC and starting to work. It ebbs and flows. Like it's a really different world. You're not gonna get a paycheck on the first and the 15th, and it's always the same amount. Like,
and by the way, the first year is usually the best year.
The, well, for me, the first year was just a crazy year because there were a couple things happening. One, it was just early and I think a lot of people were kind of like, Is, is what's he doing? And where's he going? And it was also self throttled because I kept saying no to a lot of. And handing it off to friends who were really good at those things.
It was a little self doubt in me about whether or not I could really do this or if I really wanted to do this or what the next step for me was going to be. But I mean, a lot of these people I met through Chime or people I met through other organizations who came to me and were like, No, really, you could help us with just this piece or just this thing.
It turned into a regular drumbeat of work. A lot of it was around governance and prioritization work. A lot of it was helping marketing teams. It was helping product development teams. A lot of it was just like, we need a voice of a CIO in the room as we go through this conversation about whatever.
And sometimes it was with health systems and friends of mine who were CIOs who were. I know you've done this work, whatever it is, can you come and just like, help us figure that out?
Have had you ever had that evaluation, if you will, that that self conversation of what am I doing? What does this mean? What do I want my life to look like? Where do I wanna spend my time prior to this?
So I think you wind up for me, I wound up in a little bit of a situation where I kept doing, I'll give you, I kept getting good opportunities and so I kept taking advantage of those opportunities. But I think in many cases I wasn't doing those things because I wanted to do them. I was doing them because I think other people had expectations of me to do them.
A friend of mine gave me a, a narrative around this. He said There's two kinds of stories in movies and books and whatever. There's the plot driven life and there's the character driven life. The plot driven life is, ah, I'm.
16 I'm gonna get my driver's license. I'm 18, I'm gonna go to college. I'm 22. I graduate. Yeah, I'm 24. I get married, I'm 28. I have kids. It's like, it's just the plot, just that's the plot driven life, the character driven life. The person steps back and says, I have 700,000 hours to invest in my life before I get to the age of 75 or 80.
Yeah. Interesting. And goes, When I get to the end, how do I want to have invested that Yeah, and then they design their life. They're like I don't think I'm gonna go to college right away. I think I'm gonna do this, and then I'll come back and go to college, then I'll do this, whatever. And they design their life that they wanna live.
Now, it might not look like that. Nobody puts it on a piece of paper and it just comes out. But when you get to, when you get to our age, I assume we're close. You're probably younger. You look younger than me.
We're close. I think I'm, I think I'm older.
We have enough experience, we have enough connections, we have enough friends. We literally can do, and we could go back and be a cio. We could work for a CrowdStrike. I can start my own company and head. We have so many options. Yeah. That if you haven't done it by now, it's time to sit back and go, What do I want my life to look like?
I, I totally agree. I mean, I love that analogy and I'm just thinking about it in my own career, in my own life, I think I ran sort of a plot driven.
Through Stewart Healthcare, right? Probably. And then I got to that point where I started to really think about what do I really want to do and how am I gonna make a difference? And I don't know that you spend a lot of time, really, it occurs to me the word legacy, right? I don't know that a lot of people get really wrapped up in like, what's my legacy gonna.
Yeah, but for me, I was always like trying to figure out how do I make the biggest difference? Like what do I do to make healthcare better? That was always a real driving thing for me. And so maybe I let a plot driven life until some point, and now I'm doing, what's the other version of the character driven, Character driven life.
Now it's kind of a self designed here's what I want to do. And I mean, as I got into Dexo and I. had more and more clients. I also went from like kind of working part-time and really having a lot of time for myself to realizing that a lot of my work as an independent consultant was work that I really wanted to do because I felt like it really made a difference, right?
So I was really into it and it didn't feel like work at all to me. And so I kept do, I started doing more of it and. Some of this and some of that and whatever. I didn't have direct reports. I didn't have to write bonus plans, I didn't have to write annual reviews. I was able to be an individual contributor and actually help lots of other people do their work really, really well.
And I found out like that super really appeals to me. I really love that version of my life. Like I don't feel like I'm working because the work that I do is really good fun work for me.
And the people you're working with, you really like
Absolut. And, and then that turned into sort of this word situation of CrowdStrike was a client of mine at Drexel and I helped them stand up the healthcare vertical and the more they, the more I saw the product roll out and talked to CIOs and CISOs who used it, and the more I was like, got into like, I can't believe it works, like this is really awesome.
Then at some point we had that conversation about would you ever consider becoming. An employee again. And I really thought at that point in my life, I'd been an independent consultant for six years. I thought, Well, I'm never gonna have a job again. I mean, I'm just gonna do what I do as an independent, but I, but I wound up joining CrowdStrike. So
And so that's where you're at now.
Great. It's a great team. It's a great, fun people to work with. I like the, I mean, a lot of ways, I'm an independent consultant now inside of a big. because my job is ill-defined. I'm kind of a utility player. I spend time with marketing and product development and other manufacturers and customers, resellers, and tons of time with customers.
And so I really get to see and help, not just the cybersecurity stuff. I mean, I spend a lot of my time talking to customers and prospects about, I mean, I've done all this other stuff and sometimes our whole conversation goes down a path that doesn't have anything to do with cyber. So
I'm trying to think if I really want to get off this topic yet because it's, it's been kind of fun for me to get on this topic. Cause you, for me too, because you and I are always talking about the news and it's, it's a very crisp kind of kind of thing. And it was just kind of interesting to get to know you and, and hear that aspect of your story. The cybersecurity. It's an interesting space. I just had a meeting with a bunch of CISOs down in, in Naples, and I am very encouraged by what I heard.
I mean, hardworking, dedicated, smart, doing some great things. So if if all you read, is about the breaches, you think, What are these knuckleheads doing? No. But when you sit down with them, you realize this is highly complex. problem They are they're breaking it down as best as they can. They're getting the funding that they possibly can, They're automating things.
I, I heard some phenomenal solutions that I'd not heard before. I heard really forward thinking about what we're gonna do in the event of ransomware attack. Like, we're ready. We we have a plan. Yeah. And they're, they are planning for worst case ransomware goes across the board, but they're also doing all the things to make sure that it, it doesn't happen. Doesn't happen. Sure. And control the blast radius and do all those things. Sometimes those things are outta people's control though, aren't they? I mean, you yeah. You do an acquisition and you take all the precautions and,
Yeah, no, for sure. I mean I double down on your comment about the folks who are doing the work right now, the practitioners themselves super smart, breaking their backs, trying to figure out this stuff and how to get it.
But a lot of it boils down to there's not enough of them for all the hospitals in the country to build the kinds of teams that they probably need to be able to build, to do the things that they need to do. And there's not the resources necessarily to do that. And so they're doing the best they can.
But sometimes you still get breached. Even if you're doing all the right things and doing everything you can, you, you can still have incidents that of, that migrate themselves into a a full, full blown breach. And like you said, sometimes it's not your fault. It can be anything. It can, it can be the right, the most minor thing that.
It just just didn't get done by your infrastructure team or, I mean, we talk about this all the time, but like the bad guys only have to be right once and you have to be right all the time. That's totally true. And so it's about how fast can you find these things and then get on top of them.
And our internal auditor was Deloitte and they did a I had 'em do a, just a complete, Hey, get in, see what you can get into. And they. By the way, getting credentials from them at the time was almost so simple. It, it hurt me. Like it was like they set up a website, got a bunch of credentials and it's like, how'd you get the credentials They gave 'em to us.
Yeah. It's like, this is Bob from the help desk. I'm having a weird thing happening, this application. Can you gimme your password?
And so clearly we have some things around that and I can't wait till we get to the point where people don't even know their passwords. We get to that point. They got in and they kept hitting our Citrix servers until they found one that wasn't patched. They found the one that wasn't patched.
They knew what the exploit was. They went boom, boom, boom, boom. Yep. Move literally. And that's how they got into the, into the system. And I'm like How many of our Citrix servers weren't patched? They're like, You know what? They were all patched except for those two over there because of a glitch that happened in our process. Yeah. And I'm sitting there going you just have to make one mistake
for. I pushed the button. They're all supposed to be patched. That's the report I got back. Now I didn't go back and double check to make sure that they're all patched and sometimes you get a false reading from the the, the tool that you use or something.
So it's, I mean, it's hard. That's why it takes so many people. That's why it's so, if you wanna be airtight about it, there just is no air tight. I have a friend who talks about picket fences and cyber security all. And he says, you can make the pickets higher and you can make them more sharp and pointy on top, and you can move them closer together.
But there's no way that front yard is holding water. I mean, this, those pickets just aren't airtight. And that may be a good example for, or a good analogy for cyber security.
So, I know the answer to this question, but is it just more money and more people?
I think a lot of it is the way that you think about cybersecurity and
So we, we have the Warner thing this week. Yeah. Yeah. Which is essentially, I'm gonna really boil this down. You're gonna get mad at me, but it's essentially mu for cybersecurity. Yeah, yeah. So the government's gonna come in with carrots and I, I, I didn't read about sticks and so I, again, I didn't read the whole thing, but I saw the carrots in terms of I sending health systems to do the right things around cybersecurity.
And the government actually just like mu here's, here's some money to do it. Right, right, right. I, I've interviewed enough people on the show that I would be disingenuous to say that mu worked. Yeah. Yes, we are digitized, but we are digitized in islands of whatever. Yeah. Is cybersecurity different?
I, you, I, I'm, I'm, I'm laughing because I was thinking about this. I was talking to West Wright from Imprivata. Long term, long time friend of mine. The red sneaker guy. Yeah, the red sneaker guy. I've read sneakers too, by the way. We were laughing about that today about this whole idea of meaningful use for cybersecurity.
And I think if you talked to Meadows CIO of the year Yeah, she would tell you that way back in her days on the subcommittees for cyber security, they talked about meaningful use for cyber security or meaningful use like programs for cyber. When, right before I joined CrowdStrike, I have a direct message that I found the other night, and as part of this conversation with Wes that I'd sent to Mickey ProPath, who had just taken over as the office of the national coordinator.
Yeah. And And in it, I talked to him about, I, I can we have a conversation? I, we have this idea about shouldn't we maybe have some kind of meaningful use program, Literally use those words for cybersecurity. So this isn't an idea that's like new and fresh. It's one that I think a lot of people have sort of talked about for a while, but the devil's in the details.
Just like the devil was in the details for the meaningful use program that came to us for electronic health records. And we made a lot of decisions really quickly. About what the carrots were and what the sticks were and what the measurements were gonna be and how we were gonna certify electronic health records and all those things happened really, really fast and probably had a lot of unintended consequences that we didn't spend a lot of time thinking about because honestly, the meaning meaningful use program was a, was an employment program. It wasn't really a deploy medical records program.
That's what people don't remember. It's coming out of a recessionary
time out, a terrible recess. The government was trying to figure out how to stuff tons of money into the economy. Yeah. To get people jobs and get the economy moving again. Meaningful use program was one aspect of that out of the American Recovery and Reinvestment Act and I mean it had legs, right?
So people really got it and they loved it and they kind of intended to deploy electronic health records anyway. And it was built in such a way that those who had already made investments were able to claim money. And those who had. Deployed electronic health records were also able to claim money. So there wasn't a means test for who got to participate in the program, but the unintended consequences turned out to be a couple things.
Right. We hear a lot about physician burnout and nurse burnout because they're using the electronic health record to do things that are more about billing and documenting for billing than it is maybe for doing all the right things for healthcare or I don't
even, or, or, or documenting for the government,
documenting for the. And I think there's also this unintended consequence of I have a presentation that I do that kind of says, Okay, in 2008, we had meaningful use program take off. Also born in 2008 or about the same time Bitcoin. And the unintended consequences is that at some point at Hollywood Hospital, a few years later, the streams were crossed, right?
And the bad guys figured out we can lock that stuff up in a. And they will actually pay us for it.
Yeah. We don't, So a whole new industry was born. Right. And, and we don't need a bag of cash cuz you know, they're gonna put the paint pellets in there that are gonna explode. They would just give us Bitcoin. Right. Which is untraceable.
Right, Right. And so there was not a lot of attribution to those individuals. They were not arrested. It became a really, I mean from a cyber crime perspective, it became a really, really profit.
The version of business. When, when we talk about what happened with mu, nobody will argue the fact that we have more digitization amongst healthcare than we probably would've had without mu. But when the government gets involved, it's sort of like when you, if you won the lottery, what is a billion dollars Take home now?
Yeah. I don't know. Is it nobody wanted again? Oh my goodness.
I don't think so. But you know, it's, it's a billion dollars and Right. So how much you gonna give your kids? Well adjusted healthy and whatever. Now you give 'em a million, gonna give 'em 2 million. Are you just gonna keep the billion and be like, I don't wanna ruin my kids. Yeah, there's a, But here's what happens. The government steps in and they go, Hey, we're gonna give you some money. If you do this project we're gonna give you, and it's a sizeable amount of money and, and whatever, and they, it, it warps the whole thing. All of a sudden you have EHR C. Like outta nowhere, out nowhere, scrambling whatever.
EHR deployment, EHR optimization companies, some of them,
again, everybody with the best of intention, Nah, that's not true. Half of which with the best of intentions, The other half with the, oh my gosh, look at all this government money that just came in here. And if we just get a couple health systems to do our ehr and now we've seen mass consolidation in that, in that EHR space. So we, we had that kind of thing. We had unintended consequences of data interoperability, massive silos, which wasn't really written in there.
It wasn't written into the, any of the mu stuff. So all the EHR systems, even if you use the same vendor, were often built differently and collected data differently and stored it differently and reported on it differently. So
this is why when I read, Oh, all these health systems support this, I just, I am so cynical now. I'm like, Of course you support this. You're gonna get money. And of course the cybersecurity vendors support this cuz they're gonna get ton of money. Yeah. And I don't read that to be this is a good program or not, what would make a good program.
And I think this requires a lot of sort of careful
and we've got 30 days to comment.
But yeah, we go, I think it requires a pretty careful, well thought out sort of process, which. I mean, we've been talking about this idea for a while, so I think a lot of people have a lot of ideas. Take that think tank, put 'em in a room and let 'em come up with some ideas about what good looks like for a program like this. I think there has to be a you have to be this tall to ride the ride and be able to money, but there's,
we've missed, right? Isn't this
give us, we, we, I mean, definitely it could be framework driven. It could be framework plus, tool driven. We have, I mean, if you've, you've done tons of interviews with CISOs and CIOs and talked about cyber liability insurance right now. Yeah. Without these things being in place, NIST framework or not cyber liability insurances have, have created their own criteria of what good looks like. So we need to settle on something. This is what good looks like,
but that's sort of my point. Yeah. The people. Healthcare would not have gotten to this place. And I argue, yes, it would've. When the government gets involved, it accelerates this thing. It's like pouring a whole thing, a miracle grow in your lawn and going, Oh, why do I have such a weird patch over there?
It's like, Well, you just put that much nitrogen in that space. Of course, that's what's gonna happen. Well, it, it skews everything. Eventually, the, it does work at its, I mean, Mayo would've done an eh, And they would've done they, they would've, all the things they're doing today, they would've done mm-hmm.
as would've fill in the blank. Health systems would've gone in this direction. Cause they, they would've looked at it and said, Hey, you know what? Our mission calls us to do this. Every other industry is digitized. We wanna create an experience that is comparable to the other industries to think that healthcare would've stayed on if MU hadn't happened is kind of ludicrous. I
think it would've just taken a lot longer. It would've gone a lot more slowly, and I think we would've wound up with a better result.
I think we would've had faster consolidation of health systems.
I think so. And I mean, I think you see that unfortunately, you're, You kind of see some of that right now, right? That we've bought all this stuff, we've put it in place. We're trying to. It's really hard if we're a small place to find how are you gonna find all the analysts that you need to be able to do all that things you need to do with your ehr. One of the things you can do to get out of that is to ultimately be acquired or to create some kind of another relationship with a health system that binds you more tightly to them. Yeah. And
yeah, this, this becomes free market versus government driven programs. I don't, on election day, actually, I don't really wanna go. This path too far. But I I, I have seen markets work but I've also seen markets not work and more times not when markets don't work, some, something steps in and skews them.
Yeah. And it could be the loss of competition or it could be government dumping a ton of money in, and now all of a sudden the incentives get all weird. Yeah. So I, I don't know. I, but if I look at this, I would base it on. I would make sure the measures are really clear. I would I think I, I like your, your concept of stepping forward and looking 10 years out and saying, All right, what do we need from a cybersecurity standpoint?
And I, the only thing I could tell you, I know for sure in 10 years we're gonna have to be incredibly fast and incredibly nimble. Yeah. Because the attacks are gonna get. They're gonna be quicker, they're gonna be almost constant and they're gonna be more sophisticated cuz we're applying AI to healthcare and they're applying AI to getting it.
Yeah, absolutely. I mean it's the e crime syndicates that are involved in this are able to make so much money and take very little risk in actually being arrested or going to jail. It's a very lucrative business and very lucrative businesses in the free market, even in the criminal world.
Get more money, get more investment, get people who want to be involved in the sort of cutting edge, bleeding edge high tech. And that's what a lot of the adversaries are today. They're high tech companies with CEOs and CFOs. They have bonus programs, they have employee of the month programs, literally. they have All the kinds of things that big companies have, they have all kinds of alliances with negotiators for ransom and all those things.
What's your CrowdStrike numbers? It's like 1 10 60
1 10 60, Yeah.
what is the 1
What is the 110 60?
1 10, 60 a minute to detect something going on. And again, for us, that is sensors across 20,000 customers around the world that take those feeds and put 'em into something we call threat graph. Big data analytics engine, right? Machine learning, AI engine that looks for particular patterns that triggers us that there's something weird going on there. One minute to detect, 10 minutes to investigate. Now real life humans get involved and investigate that, Okay, that's a false alarm. Let's read. Let's put some more training into the ml, or that's a real thing, and then 1 10, 60 minutes then to.
either Remediate, completely resolve, put the machine back in service or isolate that machine so that we can do the organization, we can do further investigation on that particular item. And reality is we're at like 1 10 30 right now. We still talk about 1 10 60, but it's because. The adversary on average, we know once they get a hold of the first machine, it takes 'em about an hour and 24 minutes to break out of that machine that's moving laterally.
We hear people talk about it, so in an hour and 24 minutes they can move laterally. So the speed aspect is that you have to be fast enough, fast to detect, to investigate, and to remediate that initial incident And you can do it so quickly that they never break out of that machine. And then it's like if a tree falls in the woods, does it make a noise?
Does anybody notice? You can have all the incidents you want that they don't turn into a breach and they don't interrupt business operations and they don't compromise patient information. That's a different model of cybersecurity and just trying to put the picket fences together.
Right. And I love that. 1 10 60, but I think it's gonna have to. It's gonna have to get faster. It's gonna be 10 16. It's gonna be, we, we know. 10 seconds, one minute, six minutes.
I'm totally with you. I mean, we know, just looking back over the years, that hour and 24 minutes was eight days prior. Yeah. I mean a few years ago and then became eight hours and then it's just, it's continued to shorten down. And so the enemy is the bad guys, the enemy, however you want to put it. They are very prolific in. Innovation, their own creativity, and,
and this is where it can't, That's what we're up against. When we get down to 10 seconds, one minute, six minutes, it can't be people anymore.
I think a lot of this, I mean even today to get to 1 10 60, a lot of it isn't people, right? We're using ai, AI and machine learning to grind through everything that's happening from all of those sensors from around the world that tell. What's happening on those endpoints? Humans can't do all of that. Humans are doing the investigations now, but at some point the AI continues to get better and better.
The ML continues to get better and better. The alerts are fewer, farther and fewer in between so that the investigation can happen more quickly. And so the remediation can happen more quickly. But it's it is a nonstop battle and it's a hard thing, I think, for an individual organization to build something like that for themselves.
And so, I mean, honestly, it's part of the reason that I'm a CrowdStrike is that I think this idea of plug into the wall and cybersecurity comes out at least some part of your cybersecurity stack is a really good thing, which then frees up everybody else on that team to go work on all the other things that there's no end of like projects and other security work that they need to do.
So it's a take this part of. Give this to a company that can do it really well so that you can go do all the other stuff. And it's it's. We're, we're in a really interesting place in healthcare and in healthcare cybersecurity right now. I, so
I hope it helps. I hope people can see the whole progression. And you are incredibly passionate about what you're doing now. I do. I know I get living in Seattle, which you love to do. I do, yeah. And you're hiking and outdoors going up mountains, which you love to do. For sure. You found, found your, your spot.
I'm really lucky. I'm like, I am like the luckiest guy. Absolutely.
Well, thank you for your time. It's always a pleasure.
It was 📍 a good time.
What a great discussion. If you know someone that might benefit from a channel like this, from these kinds of discussions, go ahead and forward them a note. I know if I were a CIO today, I would have every one of my team members listening to a show like this one. It's conference level value every week. They can subscribe on our website thisweekhealth.com or wherever you listen to podcasts. Apple, Google, Overcast, everywhere. Go ahead. Subscribe today. Send a note to someone and have them subscribe as well. We want to thank our Keynote sponsors who are investing in our mission to develop the next generation of health leaders. Those are Sirius Healthcare. VMware, Transcarent, Press Ganey, Semperis and Veritas. Thanks for listening. That's all for now.