January 9, 2025: Duc Lai, CISO and VP of the University of Maryland Medical System, shares a compelling journey from war refugee to military academy graduate, and ultimately, to a leading cybersecurity professional. How do military leadership lessons shape the approach to defending against evolving threats like ransomware? What happens when the human element—rushed healthcare providers and vast networks—becomes the primary vulnerability? Duc discusses the balance between enabling efficiency and ensuring security, quantum computing, and third-party risks in this impactful episode.
Key Points:
Donate: Alex’s Lemonade Stand: Foundation for Childhood Cancer
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[:(Intro) The technology is easy. If our jobs were purely technology. I think we were all very good technologists.
We're human. We live in a human world and we're protecting data from humans being used by humans.
My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health, where we are dedicated to transforming healthcare one connection at a time. Our keynote show is designed to share conference level value with you every week.
Now, let's jump right into the episode.
(Main) everyone, this is Drex, and we're doing keynote today. And I have Duc Lai, who's the chief information security officer at University of Maryland Medical System. And Good to see you, Duc. I'm glad you're on the show.
Glad to be here, Drex. Thanks for having me.
long ago. And it was a great [:We had a good crew in the room. A lot of good conversation. What did you think? did that meet your expectations? Yeah.
Oh, yeah, I loved it. I thought, you guys did a great job organizing it. prompts that we had were really engaging, and I think it got a lot of people to share, which was really important.
And it was great to meet the other participants, and that's really the most important part, are the people. And there's quite a diversity in the group and from the area, so I really appreciated being there.
Yeah. That won't be your last one. We'll definitely invite you to another one down the road here too.
Let me start with a little bit about you. Every great leader has a story and the story about what shaped your path. How did you become a CISO and how that journey has influenced the way that you approach cybersecurity today. So what's your story?
My story starts when we came over to the United States, we immigrated from Vietnam after, at the end of the Vietnam War as refugees.
I was inspired by my father [:Awesome people. I consider that my hometown. But looking to the future. I had a lot of siblings. My father had graduated from the Vietnamese military academy. And so he inspired me to look at attending the United States military academy at West Point. And so I was lucky enough to be able to apply and had the opportunity to get an appointment.
So after graduating from the military academy, I served on active duty in the Army as an officer, and I think that's the basis of, the rest of my career journey was where I learned leadership and team building. And, you're a retired Air Force officer. Yeah. You know what I'm talking about.
se concepts come together in [:It's the training, right? It's the training. I, first of all, going to the academy is, when you think about winning the lottery or what are the odds that you could possibly get an appointment to the academy, it's such an amazing, long shot that anybody can even, get in.
And then being able to survive it. For the four years to be able to graduate, which is another huge accomplishment, and then moving to active duty. It's that must have been quite a trip, Tell me a little bit about the academy, what that was like.
I felt so lucky, right? And only in America, Would a war refugee, 15 years after coming to the United States, would have the opportunity to attend one of the premier service academies?
en that opportunity was like [:It's meant to reshape you and to make you into a leader by first teaching you how to be a good follower, and also how to be a team member. We were all normalized, as I as you can imagine, that's the military way, right? Where you go to boot camp and, Everybody has the same haircut. Everybody wears the same clothes.
It doesn't matter what background you came from. You're all in it together and you have to rely on each other in order to make it through. We had a saying at the academy, cooperate and graduate. And we had a bunch of other, military sayings and I'm sure that you have some as well.
Those are the types of lessons that you carry through your life. And I wouldn't give it up for anything. I thought, the education was top notch, top quality and really prepared me for the rest of my life. And prepare me serve, on active duty. Leading troops, being a platoon leader.
academic and the educational [:I had an electrical engineering degree. But, you learn how to use those engineering concepts and you learn how to learn to pick up technology. I was a battalion maintenance officer. I never thought I would end up, learning how to fix diesel vehicles and trying to scrounge for parts.
But that was quite a learning experience as well. So every step in my journey. has been an incredible learning experience that I've been able to build upon. And I've been, I feel very fortunate to have had those opportunities that are unique. Yeah, it's
n that and what you're doing [:Yeah, absolutely. I think it really aligns with healthcare's mission and certainly at the University of Maryland Medical System in serving our communities and providing critical healthcare services. And being a part of a mission that's bigger than yourself, right? At the Academy, the motto was Duty, Honor, Country.
In the United States Army, it's serving in, to protect the Constitution, and protect and defend the Constitution, protecting our national security interests, and then leaving the military and serving in our community. I've always been drawn to organizations where the values and the mission are bigger than oneself.
And so I've had the fortune to be able to work in a variety of different companies and industries. So after I left the military, I worked for a defense contractor, then I worked for a large national ISP as a network engineer, and in a for profit, shareholder driven company, and then I worked for not for profit companies, and I worked for a internet security company.
And [:I love that you have all this other experience and you bring all that to bear in a really challenging environment that we live in right now. Cybersecurity and healthcare, super high stakes business. When you look back at your career, you've talked about a lot of stuff. Any specific defining moment in all of that is the thing that kind of solidified your commitment, your decision to come to healthcare and to do this kind of work?
cyber security. And it was a [:build a security program from the ground up. There was a saying that I learned in the military, that if you take lead of a unit that's at the bottom, the only way you can go is up. I kept that in mind. And the first week that I got there, there was a compromise. There were workstations that had someone remotely controlling the mouse.
You could sit there and see command windows open and the mouse moving around. And I'm like, okay. So here's what we need. We need some IPS, we need some better antivirus, we need to lock down the firewalls. And so that just right into the fire in that role allowed me to make an impact right away and just continue to build on that.
a mature financial services [:And so I felt that when I left that role, that what I was leaving behind was impactful and would endure. And that's, I think what, for me, that was a defining role and a defining moment in my career.
As you look at it now, as you think about it now, I get this question sometimes, and I think it's a dumb question, but I'm going to ask it, but I'm going to ask it in a little bit of a different way.
And it's the what keeps you up at night, what keeps you awake at night question. Not the fear. That may keep you awake at night, but in the ambition, what drives you to innovate and lead and be, a creator in this really critical healthcare business line, cybersecurity?
I think part of it is my background and training as an engineer.
? And so it makes you think, [:And that's what I strive to do. I think that's inherent in my nature. So it's not really keeping me up at night, but it's a constantly thinking about, where can we do better, what can we do better and how can we do it better?
Yeah. Great. I love that. That's a good twist on the keeping me up at night.
It doesn't really keep you up at night, but it nags at you constantly. How do you make it just a little bit better?
It's related keep the things that do keep you up at night. So yeah. Because those are the weaknesses or those are the shortcomings that you're thinking about, but you can't forget about the things that are going well, because those could also probably be improved or mature because, in our industry, it doesn't take long before the status quo becomes obsoleted and outdated and not good enough anymore.
ly, growing concern. Can you [:It's such a big thing right now in healthcare. Ransomware.
Yeah, it is our top risk, right? Because if you look at the likelihood, the typical risk formula, the likelihood of somebody attacking a healthcare organization, One of these threat actors is pretty high because it's pretty profitable for them. Yeah.
And that's part of incentive and their motivation. So the challenge is, one, how do you reduce the likelihood? How do you make yourself less of a target? But I think the harder part is the impact part of it. If you assume that someday we're going to get hit with ransomware, just because in healthcare, one of the challenges is our attack surface is enormous.
Yeah. We have tens of thousands, hundreds of thousands of endpoints used by folks who are good at providing healthcare, but not necessarily good at cybersecurity. And so eventually we may all end up being a victim of ransomware. So how do you build your organization? How do you train your organization to be so resilient?
mizing the impact and you're [:And if you're able to do that, then you can assume that when you do get hit. It'll minimize that impact on being able to take care of patients, which is the ultimate mission in healthcare, right?
Yeah, so this is a good transition to another question that I had on my list, and that is that is as much about the people, obviously, as it is about the technology.
So how do you build, how do you cultivate, how do you plant the seeds that grow into the flowers from a culture perspective in an organization that's as big and as complex as
UMMS
I have to put on my hat as an evangelist. And I have to constantly be evangelizing to the cost of security, right?
good. And so a lot of times [:And, We have the typical sort of governing council. We have a security council with multi domain, multi functional members on there who can act as ambassadors. They can provide us with input into our communications and how we can do better in evangelizing the mission of cybersecurity and why we need to do the things that we need to do.
The other part of it, around human behavior is changing human behavior. And one thing that's unique about healthcare We have providers who are very focused on providing quality health care. And a lot of times they're in a rush, right? They need to open EPIC or they need to open the EMR and type in their notes or look up patient records and , they don't have the time or the tolerance to pay the security tax.
date for that workflow? with [:That's one of the biggest challenges. And like you said, it's related to the human factor. The technology is easy. If our jobs were purely technology. I think we were all very good technologists. And if we had the resources to buy the technology, we could certainly lock things down pretty tightly.
We're human. We live in a human world and we're protecting data from humans being used by humans.
Yeah. Yeah.
patient care and operational [:There's a lot of things that compete for people's time, compete for money, compete for the project list. How do you work that balance?
You have to have an open mind and you have to be open minded to understand and be empathetic to what your providers, your users, your employees, your team members, what they're trying to accomplish, and you have to work with them to be and be flexible and agile.
In your security controls. And that's gonna help you find the balance. And there is no single balance. The balance shifts depending on the situation. The balance shifts depending on the organization, the location, the application the user group. And so you have to be able to understand that and be able to adjust that balance.
You're rebalancing all the time, like every day.
in a secure way. One of the [:that work because they're working long shifts. They want to keep in touch with their family and keep in touch with the soccer schedule and all of personal conveniences that would be nice to have. And so how did we solve that and make it secure? We came, we explored different options and we chose a webmail isolation solution, which controls, you can block downloads and uploads, but allow people to actually communicate with their families in a secure manner.
So to me, that was a rewarding solution because. We were able to reduce our attack surface, reduce our risk via this channel, but still allow our employees to access the information and stay in touch with their families. That would ultimately, hopefully make them happier and them to provide better patient care.
gy and people initiatives at [:Probably, maybe I'll ask you next what's next?
Reason that an MDR solution was so critical to us was, as I mentioned before, the huge attack surface. The tens of thousands of endpoints that we have. That are used every day constantly. And so realizing that's a likely attack vector, whether it comes from anywhere else, it's going to end up on a workstation or a server.
Being able to detect quickly and respond quickly, and hopefully contain it to whatever the smallest blast zone that you can, is a very critical approach to fighting ransomware or any other kind of threat. Attack. so that's one half of that solution. That's the technology part of the solution.
But
you also have to be able to have someone help you monitor that 24
7
nd be dedicated to it. So in [:with the technical depth of a partner that can look at these EDR events and immediately take action on your behalf. frankly, us to take our Thanksgiving break and not have to be watching, our emails and our events all the time. So that's really the strategy for helping to combat ransomware.
And I think it's a very effective strategy. But it's a two part strategy, right? the actual technology, but there's also the monitoring piece that's critical to that. And I think that's allowed us to focus on other areas, other controls around the network and around identity. And so as a backstop in case that there is an intrusion, then Be prepared and be resilient.
nd how fast can you respond? [:Yeah, like speed is everything. Looking, so now I'll ask you the long range question, looking five years from now, it's hard to imagine even what would go on in five years, but let's just say a year.
What do you think will be some of the biggest threats to healthcare and cybersecurity? And how can we prepare for that?
So in the next year or two, third party risk exposure. You may not be compromised yourself, But we're all interconnected, especially in healthcare, with lots of vendors and partners.
ent, is to try to anticipate [:So that's one area. I think longer term, AI is top of everyone's mind. Because the threat actors out there are going to be leveraging AI and they have already started doing that. So we need to keep up with that. We need to understand the external threat from AI. We also need to understand the internal risks of AI.
With our own users and with AI, there are unique risks that haven't existed before.
Bias and transparency and hallucination. So that could result directly or indirectly on, on our data and cause data breaches or, data leakage. And so we have to understand that.
ive shift in the way that we [:That's going to be potentially costly.
Have we started those conversations and have we started anticipating what that impact is going to be? Because with technology, if you look at just AI, how quickly did that become viral? And then we had machine language before, but generative AI, it seemed like it just happened overnight. It did. Is that going to happen with quantum computing?
we're hearing about it now. It's several years ago, there were rumblings, but suddenly overnight, it's going to be a thing. Are we going to have to deal with that?
I tell this story about the Tour de France and Lance Armstrong being caught cheating in the Tour de France.
two vials that were taken at [:And that material was kept for years and years. And in the background, technology changed, and the tests became more specific and more reliable, and they were able to go back and test a bee sample, which ultimately was the way that he got caught. But he had stopped writing long before that. He just got caught later.
So when I think about quantum computing, that analogy comes to my head. Files that have been stolen that are encrypted, and today we go, oh those are encrypted, it's okay, there's probably no risk there, so we just don't worry about it. You can't really think that those bad guys actually take those files and just throw them away.
probably sooner rather than [:It'll be a lot like AI, as you alluded to.
Yeah and your story reminds me of the way passwords were used in the past I don't know, 15 years ago? Oh yeah, it's password protective. Yeah. Today, even a complex password is not good enough. Even MFA is not infallible.
Hey so this is another question that I've been pondering for you. And that is if you had to pinpoint the single greatest misconception that executives or boards have about cybersecurity, what do you think it would be?
That our goal is to prevent all breaches all the time.
I think that it's important for them to understand that our goal is to reduce the likelihood of a breach as much as we can. But we can't make it zero. And so understanding that the likelihood is greater than zero is going to help them have the mindset of, then we also need to think about, again, resiliency.
How are we able to respond? How quickly can we detect, respond, and recover from A lot
is a conversation about risk. How does risk play into that whole
That is [:It's that congruent risk language and message, then I think it'll be easier for them and better for them to be able to understand that the likelihood is greater than zero and that how do we manage that risk of the impact and of on a cyber tech.
It clearly with the ransomware, it's moved from Oh, we're just going to lose some data to.
? Is this a thing I think we [:Fortunately, I feel that in the past couple of organizations that I've been involved with, the board gets it. And when I first started here, They were challenging the security program and our security posture, but over time, they've gotten enough of accurate risk communication that now they have a more accurate picture of where we are in terms of our security program.
And I do think that there are more board members. who are cybersecurity aware, cybersecurity conscious from other experiences. And so they're able to help spread that message and the understanding of cybersecurity risk with the rest of the board.
Those are great people actually to have on your team.
on the cheerleader squad for [:Do you do that kind of stuff?
Yeah, and indirectly. I think we have a really strong partnership with our compliance and privacy team. And a lot of times, the compliance officer has a dotted line to the board via the audit committee. So being able to have them as a partner and an advocate for the cybersecurity program, because you speak the same language, you collaborate, you communicate with each other and they can incorporate cybersecurity as part of their risk management, enterprise risk management program to the board, that makes it look like you're part of that ecosystem that's being well managed and not a one off.
The cyber security program and the cyber security guy, right? department, it's part of your corporate governance ecosystem.
It's not something separate, it's something that's really built into the here's how we deliver healthcare safely and effectively to patients.
the risks to how we're delivering it, right?
he top risk. I agree. It may [:For sure. Hey, there's a lot of up and comers. There's a lot of young folks in the industry.
Some of those are aspiring to sit in your chair one day. Do you have any advice for those folks? What they should do? What they should be thinking about? Training they should be taking? Yeah. Behavior they should be emulating? What advice do you have for those young folks?
I would say. Become as technically proficient as you can, as a first step, and that, whether that be self education or formal education.
Become technically proficient, download Kali Linux, build a virtual machine, learn how to use the pen testing tools on your own network. Those are really valuable fundamental skills for someone starting off in security because it is really based on technology. So once you have that, then the next challenge I think is getting that first job.
I think that's where we and [:Then, as they progress in their career, as I mentioned before, learn the language of business, being risk management. As you become a security manager or security director, start learning how to talk about risk in a way that your business partners can understand it. Those are just some of the fundamental, I think, steps, for someone getting started, someone mid career, and then as you get more senior, I think by that time, maybe you've been around the block a couple times.
Yeah, thanks for that. No, I think that's that's actually really terrific advice. I'm gonna ask you one more question. In the end, when your story as a cybersecurity leader is told, what do you hope the story will be? What do you think some of the best chapters in the book will be?
Yeah, that's [:So when I think about things like that, it changes the way you look at decisions that you have to make, because then you look at the long game. focus less on the immediate fire that you're trying to fight, which we all do every day. But you think about, okay, if I make this process change or this organizational change, or if I strengthen this partnership and implement this program.
Am I going to be able, when I leave, that's going to continue on beyond me? And to me, that is what I want to leave behind, is our changes to an organization , that's going to make it more secure and that those changes are going to continue.
Yeah, I love that. The the long term, this may be something else from our military days too, but leave it better than you found it.
Yes. And [:It's always a pleasure talking to you, Drex. and thank you again for having me on.
Thanks for listening to this week's keynote. If you found value, share it with a peer. It's a great chance to discuss and in some cases start a mentoring relationship. One way you can support the show is to subscribe and leave us a rating. it if you could do that. Thanks for listening. That's all for now..