This Week Health

Don't forget to subscribe!

June 9, 2023: What are CISO’s security priorities for 2023? In this webinar keynote, hear Shawna Hofer (St. Luke’s), Erik Decker (Intermountain), and Vikrant Arora (Hospital for Special Surgery) discuss all things security. How do the CISOs prioritize their work based on the drivers within their healthcare organizations? What are some of the evolving cybersecurity threats in the healthcare industry? How does the increased reliance on third parties impact cybersecurity in healthcare? How are healthcare organizations addressing the challenge of educating users to combat phishing attacks? How are CISOs communicating risk within their organizations? Are there any regulatory changes on the horizon that will impact cybersecurity in healthcare?

Key Points:

  • Third party risk
  • Phishing and user education
  • Ransomware prevention and response
  • Decentralized IT environment
  • Worker shortage and burnout
  • Resiliency and patient safety

Subscribe: This Week Health

Twitter: This Week Health

LinkedIn: Week Health

Donate: Alex’s Lemonade Stand: Foundation for Childhood Cancer


This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Today on This Week Health.

just a mind shift in this as well is we gotta look at this from an adversarial mindset.

How are the attackers breaking in? What are they doing when they break in? What's their end game? What's their goal?

welcome everybody to the to the April webinar and we're gonna look at priorities for chief Information Security officers. We're gonna give everybody a little bit of time to join and we see the numbers are going up.

If you've attended any of these before, you know that what we do for the next three minutes is we just talk amongst ourselves. And at 1 0 3, we'll come back and we'll get started to the meet of the webinar. So I have two, two guests. We're still waiting for one more to join, but Shawna Hofer is here with St.

Luke's the Chief Information Security Officer for St. Luke's outta Boise, Idaho. And Vic Aurora, who is the Chief Information Security officer. Out of hospital for special surgery. You guys serve very different populations. Boise, Idaho, and New York City. But hospital for special surgery, you guys really have a global population as well, so, that's fantastic.

And Eric Decker has joined. He is in the building but has no instructions, has no idea what we're gonna be doing cuz he just rolled in right on time. I hate to do that to you, Eric, but it's great to it's great. Great to have you here. Here's what we're gonna do, we're gonna do a little what I'd like to do is get people to know you guys a little bit better before we start.

And we'll start in about two or three minutes after people join Shauna, we'll start with you. What was your first job out of school?

First job out of school, I worked for Deloitte as an enterprise risk services consultant.

Wow. So you were always on this path to being a security officer?

I didn't know that I would end up in cybersecurity.

I knew I didn't wanna do accounting, which was my undergrad. And it just kind of fell in my lap and I'm so grateful. But it was really, I think that experience at Deloitte that helped give me that risk kind of lens that maybe those who grew up in the technology side didn't necessarily get as much.

So it's been beneficial for

me. Yeah. I like those firms like Deloitte. It's paid job hopping. Yeah. You go from project to project until you figure out what you really want to do and then you're off. And it's

really the expectation they want. I mean, you need them. Yeah.

Oh, no, absolutely. Vic, what was your first job outta school?

My first job was working for Pfizer Pharmaceuticals. I was responsible for communicating impact of IT incidents globally, whether they were cyber or otherwise.

Wow. You guys must have been really good students. My first job was like, checking people into a hospital. Literally I was the person checking people into a hospital.

You guys obviously took your education more seriously than I did. Eric, what was your first job outta school?

I'm nowhere near Shauna and Vic. I was a desktop, a support analyst for a small r and d shop in California that was attempting to do healthcare exchanges using peer-to-peer protocols.

Like this is like Napster for medical records, which clearly didn't work. And I was like the support guy in a little small 50 50 shop development

office. Something people did not expect to hear on the chief information security officer priorities was the phrase Napster for medical records.

My gosh, can only imagine what that would've been like. All right. Hey we'll get into it. First of all, I wanna thank everybody who's joined us. All of us really commented, this is the best group of questions I think I've ever seen submitted for a webinar. So I'm looking forward to, I'm gonna do our back and forth as little as possible and get to your questions cause they're just exceptional.

This particular one is part of our leadership series and this is about the priorities that the chief information security officers are facing. Encourage you to ask your questions.

Now, we received like 40 some odd questions ahead of time, but if you have some questions as we go through, go ahead and put those in the chat. And I've encouraged these three to keep an eye on the chat and potentially answer 'em directly. If not, we'll try to incorporate them as we move along. Alright, quick introductions.

Eric Decker is the Chief Information Security Officer at Intermountain Intermountain Health. Vic, Aurora Hospital for Special Surgery, chief Information Security Officer, and Shauna Hofer St. Luke's at Boise, Idaho. Here's where I'd like to start. We've been doing this priority series. We, this is our third in the Priority series and every time I do it, I come back to a poll I did in early January and the poll was What will drive healthcare provider priorities in 2023.

And we had financial pressure disruption, new entrants, patient experience. And worker shortage. I'm gonna change this around for you guys. And I guess my question is, if I were to write this poll for cyber security right now, what would be some of those drivers I would list that are potentially driving the priorities right now?

And Shauna will start with you.

Yeah. Great. I think as I thought about how to answer this question, what ultimately ended up being my number one is, my drivers have to be aligned with the health system drivers. So if the health system is focusing in reaction to, some of their workforce challenges, for example, they're moving more towards automation or artificial intelligence type of capabilities, I have to be ahead of and enable those.

So really being able to support them as my number one. And then I transition into what are some of the evolving cybersecurity threats that continue to. To plague the healthcare industry. I added, the third party risk challenge that continues to increase as we gain more reliance in healthcare on third parties.

And just the increased attack surface there, the evolution of phishing maturity and our challenge in educating our users to combat that with the compensating technical controls and ransomware. It's decreasing, I think, in terms of numbers, but the impact is still very high.

And so making sure that we're prepared to prevent and respond, that's

what I would add. Fantastic. Vic, how about you? I mean, what things would you say are setting the priorities for cybersecurity right now? I think for us,

the first and foremost is communicating risk within the organization to the board to external constituents.

Our partners including the insurance brokers, have anonymized language so that we are all on the same basis. Extremely important cause we get pulled in so many directions depending on what the context is of cyber.

The second is,

Applying cybersecurity controls in consistently in an increasingly decentralized IT environment.

With cloud consumerization variables access to it has become very easy and it's. The IT departments are not the service providers anymore. They're more of brokers. They're lucky, otherwise the business is out there getting whatever services they need from SaaS and what have you. So applying security in a consistent manner in that decentralized is something that is a priority.

And the last is I would, I think still from what you were saying earlier, the worker shortage of worker experience is true for cyber as well. Finding and retaining talent and the stressed faced by the security teams and the burnout is another priority.

Fantastic. Eric, how about you?

Well, I won't add, I won't repeat what Shauna and Vic just said, cuz those are on the list. I think the only one I'll add to the, to this, and one that I think is incredibly important is concept of resiliency and patient safety.

It goes hand in hand with what Shauna was talking about, but I, as a profession, we really need to start thinking about this outside of the lens of just our own organizations and thinking about the ecosystem that we are participating in and how, when you look at the capacity that a hospital or hospital system has to bring in patients and care for patients, especially in an acute setting, emergency setting, trauma setting, we don't build in capacity, in the case that something sort of over we go over a hump, we as a hospital system we tend to, we have diversion techniques, we have all these things where we.

We push the patients off to another system that hopefully will be able to handle it, knowing that it's not usually the entirety of the list of patients. If a system goes down and it's not for a sustained out, outage, it's not for 30 to 60 days of how the capacity has been built.

It's for hours, or 24 hours or a day or two. So as a system, as a health system, when one system goes down in the ecosystem, it impacts everybody. And this happened with scripts. It was seen that way, it happened with Common Spirit. And so knowing that, that becomes immediately a patient care and public health and public safety problem.

And so, For us to solve for this, we have to be thinking about cyber as resiliency. We have to be thinking, we have to move on from, well, of course we have to continue to maintain the privacy and confidentiality of our data, but we've gotta move on from being a data security type of program and truly being a resiliency type of program and thinking about it in that lens.

All the third party stuff that they talked about comes into play, the workforce stuff comes into play. The, certainly, I'll tell you from the federal lens and the federal government side the regional and public health component of how well the hospitals are actually able to sustain these and weather these types of attacks is acute.

They're acutely aware of it. And they want this problem to be solved because they don't want these crises to happen, in our country. So we've gotta get better at that. And I think that's, for sure, one of my. Extreme top priorities just here at

Intermountain? It's interesting.

Resiliency is an interesting I'm gonna ask a different question, but resiliency is really interesting to me just because we used to ask the question of, what's that? What happens if that system's offline for an hour or two? And now we've gotta say, what happens if that system's offline for a week or two weeks?

Like what, two months

Or two months, right. That's what we see one to two months. Yeah. Yeah.

And the you talk about the interconnected to this of things and I'll just go to the basic one, which is if your active directory is down for two weeks, nothing's happening.

Like, I mean, that's like the lifeblood of everything that's going on cuz so many systems, and I didn't even realize this until we had an issue, but like our our system to get into our data center was tied to our active directory. You couldn't get into the data. It was like silly things like that.

You're like, yeah, what were we thinking when we set this up? While we were thinking it was never gonna go down, and now we have to really go back and rethink through all that architecture again.

Yeah. And just a mind shift in this as well is we gotta look at this from an adversarial mindset.

How are the attackers breaking in? What are they doing when they break in? What's their end game? What's their goal? Of course, their end game and goal is extortion in trying to, get financial gain and fraud. But the means by which they do it, bill, it's exactly what you said. At the end of the day, they're hidden active directory as hard as they possibly can because that's the biggest place that they can do the most damage.

So when we look at our whole program and we're like black and tackling everything that could possibly happen, if you apply the adversarial lens to this, You're gonna get a lot better bang for the buck from, doing security around that. So active directory for sure should be in your list of of tool set about how are you hardening them.

Are you applying in isolation? Design structure used to be called red forests. Now they, Microsoft got rid of that term. They don't have a good term for it anymore, but it's a brilliant strategy for how to secure a ad just from a architectural perspective. And then of course, there's all kinds of tools and processes and monitoring, of course that goes with it.

Vic let's go to you. Are there any regulatory changes that, that you're keeping your eye on at this point? Not that we're driven by regulatory, but we're sort of required to follow it.

Yeah. Nothing in

healthcare, by the way. Am I better audible now?

Yeah. No, that's, yeah,

that's better. So,

Nothing in healthcare specifically, I always say like technology is the first one to move followed by security that's trying to catch up with tech.

And then after that comes the regulation. That's trying to catch up with security. And the regulation that we're watching is mostly the US Securities and Exchange Commission. They're coming up with regulations that would require board members to have cyber knowledge and put more responsibility in cyber oversight.

I think it's gonna trickle into other sectors, even though they're not obligated, but that would set us a gold standard. HIPAA hasn't changed since 1996. I'm hoping there is a change. There's a lot of non-binding guidance that FDA issues. They recently issued a 500 part 500 regulation 5 24 b for medical devices to be more secure.

But again, they're always saying it's, you're not legally required. It's just a best practice and guidance. So mostly looking at the Securities and Exchange Commission and the New York Department of Financial Services. They're revising their cybersecurity rule, but they don't directly apply to healthcare as such,

to get guidance.

So there's a lot of talk in this space. I mean, Senator Warner and all that stuff. That's, I mean, there's the fda you talked about, there's always a lot of talk going, but there's no specific healthcare requirements that are sort of falling out right now. I'm sort of throwing that out to the field.

I don't Any thoughts on that?

It's coming. So, it is absolutely the, there is a lot of interest, not even just within h s, but also outside of h s, the National Security Council driven by the major executive sponsor pushing on this as Anne Newberger. CISA has been involved in this, that federal government knows, as you saw with Warner's paper, the national the national cybersecurity strategy didn't call out healthcare specifically, but it did call out the need for minimum standards vendor liabilities to be better.

The. This is being discussed and explored right now. As far as how, what kinds of, what kind of model should it be? The things that we're pushing for from a, from an advisory perspective are reimbursements, column, c m s, facility fee reimbursements, something along those lines that are tied to minimum requirements, baseline requirements, whatever we wanna call these things.

And and by and large, when we've been, this is, I'm speaking on behalf of the, as the chair of the cyber working group. When we've been talking with our constituents on this, it has been it's, it hasn't been rejected as a, we know we shouldn't do this. The caveat has been we should do this, but.

We have no resources to do an unfunded mandate, and so we really need to partner on, on that process.

Yeah. That, no, that makes perfect sense. Here, my last question, and I'm gonna go to the participant questions. Shauna, I'm gonna come to you. How important are security frameworks in establishing a foundation for the discussion internally and with your board and other things?

In order to really drive a consistent approach to cybersecurity?

I think they're very important in kind of all of those aspects. I especially kind of driving that board conversation, cybersecurity is such a challenging topic, and so to be able to communicate it in a way that our board can understand without having to get into the specifics is incredibly helpful because you can assess maturity and therefore risk through that lens.

I think when you think about the multitude of frameworks that are available, it can feel complicated for cybersecurity teams to align on any particular one or multiple. So I think in some regards they're beneficial and also can be challenging, but I think they, they drive they drive really great things and I, without it I think a cybersecurity group, team, organization can get a little lost or a little unorganized without them.

And I know Eric's done a nice job kind of helping provide some of those frameworks to, to smaller medium size organizations as well, and in specific in healthcare, which is really.

Helpful for healthcare organizations. Eric, maybe you could add a little bit to, to that on hiccup.

Yeah, you're, you were breaking up at the end there. Yeah.

Happy. I think you, you mentioned you've referenced hiccups, so I'm happy to jump in on that. Yeah. One, one of the frameworks that we produced as part of this joint curriculum infrastructure partnership with HHS is the health industry cybersecurity practices or Hiccup, H I C P.

That is a a hygiene document, temp practices to mitigate five threats stratified by small, medium, and large organizations. It was released in 2000, end of 2018, right at the beginning of 2019. We have a new version, hiccup 2023 coming out, eminently, I mean, hopefully next week or soon thereafter. And also from an incentive perspective.

That publication has been amended into high-tech of HIPAA and high-tech, and noted as a recognized cybersecurity practice. And OCR is required to evaluate your adoption of hiccup when considering any kind of enforcement action against you. And so if you can demonstrate you, you've implemented a good recognized cybersecurity practice regime for the last 12 months, you're gonna be in a good position with OCR if something occurs.

All right. Let me, so I'm gonna start going through the questions that were submitted. I will either say, I'll go throw it out to the field and if you have a opinion on it, you can answer it. Or I'll say this is an all play. So I'm gonna start with an all play. And this, I want just a brief answer of this is how this is done.

And. Whatever the questions from the chat it's is do you report to the board and how and what are you reporting to the board? So just briefly, how do you report, do you address the board directly? Do you address the subcommittee of the board and what kind of things do you report up?

And Shauna, we'll start with you.

Yeah. I've only gone to our main board once, but routinely go to subcommittee of the board, really focusing on level of maturity level of risk reduction and any escalations of support that we might need. Fantastic.

The highest level.

Fantastic. Vic, how about you? A report,

To a subcommittee of the board called audit committee on a monthly basis.

And we have a one page dashboard that we created recently for their consumption. It has three main sections. One, like Shauna said, it has program maturity. The second is strategic risks. These are long-term risks impacting the organization in the long term. And the third is operational risk, where there has been identified failure of people, process, technologies, or external events.

So these are the three categories that we report to the committee on a monthly


And if you want more details on that, Vic wrote an article. We put it out on LinkedIn. Cool. Great article. Appreciate it. Eric, how about you?

Quarterly to the audit and compliance committee with subcommittee of the board and e r m metrics and program maturity.

All right. This one I'm gonna throw out to the field. How does operating in the cloud affect your security strategy? Who wants to grab that one?



first there. Significantly it requires different skills, processes, and tooling. It's a lot more prone to errors due to lack of knowledge and inherent decentralized architecture. So that's why I said

significantly. Yeah, so, so there's a significant impact. It's very different than operating just locally in your environment.


Let's see. Do you think let's see. I'm curious about the leading methods you have implemented for third party risk management. Shauna, I'm gonna come to you since you mentioned this. You know what are some of the approaches that we are taking for third party risk management?

I think I would say the most common across the industry, right? We're doing our best to assess risk of partnering with organizations. We're doing our best to mitigate that risk through language and contracts, making sure that we're being able to hold those partners accountable. And where I think, and kind of as Eric talked about resiliency, where we probably as an industry need to pay more attention to is how are we paying attention to the resiliency aspect of that partner failing us, for example, they have a major incident, they have an issue.

What is the plan? So just high level but the balancing all of that and kind of time management, the organization usually wants to move quickly. These things take time. So finding the right balance for all of those things, I think is really what we're struggling with

right now.

Yeah. And by the way, all three of these people are professionals, so they're not gonna answer specifically and say, this is exactly what we're doing.

They're gonna say things like, this is what we're seeing in the industry and this is what we see. I mean, because essentially we've been taught not to tell people what our specific approaches are. I'm curious the third party risk management's a pretty big topic, so I'd love to hear from either of the sure.

I'll jump in. So I think this is one of those cases where nobody is satisfied with how we're doing it. The hbos, the hospitals aren't satisfied, the vendors aren't satisfied. It is point in time, it's transactional. The current, even with platforms that are out there to collect all this information and, do it in a more streamlined way.

Maybe you can get from 30 days to 15 days, of execution on a one assessment. And we're talking about thousands of vendors that we have. So it doesn't scale. And the way that we have approached third party risk is also a bit of a professional what's the right way to say this?

There's a professional aptitude, well, let me sort of change a change the way I'm gonna say this. The value of the third party risk program is being determined by how well you're good at assessing the risk. In a particular transaction. And that doesn't work in an ecosystem mindset.

Not to suggest, of course, we have to find the risks and the issues. So when you think about third party risk from our current state Data, of course, is the one that we always go to. They have our data, so we've gotta secure the data. But you gotta think about it from a conduit perspective.

Can the third party connect into us and cause us damage and harm? And how much damage and harm can it happen? And you also have to look at it from a mission criticality and functionality. I mean, s some vendors that you might not even ever consider to throw into that group, like laundry services or p e delivery services are vital to the delivery of care.

And they all run off of digital systems too. So first start with those three mindsets and then, we need to change this as a profession. We need to move into more of a a term that I'm kind of toying with a third party a sin for third party risk management. So if we could build rules that we care about, a vendor, a.

Fails to deliver two-factor authentication or fails to deliver on a, an incident response or something along those lines. And we have a whole party, a whole group of people continually assessing that same vendor. I don't need to do that assessment again if Shauna's already done it or Vic has already done it.

What I care about are very specific rules, very specific interactions that I have with that third party. And so when that pops, let me know so I can take a response and do something with it. Otherwise, we just can't keep up. I mean, I Intermountain we have a lot of people that are focused on this and it's, you cannot keep up with con with conducting all these assessments year over year and actually getting to continual coverage based on a manual process, even with platforms.

So we gotta, we've gotta do this continually.

And that gets to the next question, which is, do you think the security in incident and event management workflows are still proactive enough and fast enough given the current speed of adversaries? And essentially the other part would be the number of attack vectors we're really trying to protect.

Do the current systems and workflows, are they real time enough at this point? I'll throw that out to the field. These are great questions. They're just they're not easy questions.


anything easy in cybersecurity, bill? I'm not sure that it's I'll just share my personal opinion. I don't think it's vast enough. I mean, I think, just evidenced by, many of the incidents that our help that our industry has faced, I would venture to guess that many of them probably did have a security incident event monitoring.

But the reality is, it's hard to stay on top of all of the rules. It's hard to avoid alert fatigue for the people who are watching it, like Vic said, right? We need the people still to have eyes on that. And I think as we continue to create more complex environments it's gonna be harder

to stay on top of and easier to get behind. So I think there's work there.

Yeah. No, absolutely.

Alex's lemonade Stand was started by my daughter Alex, in her front yard. It By the time she was four, she knew there was more that could be done. And she told us she was gonna have a lemonade stand and she wanted to give the money to her doctor so they could help kids like her.

It was cute. Right? She's gonna cure cancer with a lemonade stand like only a four year old would.

But from day one, it just exceeded anything we could have imagined because people responded so generously to her.

We are working to give back and are excited to partner with Alex's Lemonade stand this year. Having a child with cancer is one of the most painful and difficult situations a family can face at Alex's Lemonade Stand Foundation, they understand the personal side of the diagnosis, the resources needed, and the impact that funded research can have for better treatments and more cures.

You can get more information about them at alex's

We are asking you to join us. You can hit our website. There's a banner at the top and it says, Alex's lemonade stand there. You can click on that. And give money directly to the lemonade stand itself

now, back to the show.

So, this what is the one thing you wish you had done differently that is advice you could offer to somebody who's in the CISO role, maybe new to the CISO role? This is gonna be probably an all play, and Vic I'll start with you.

What's, as you look over your career in this role what do you wish you had, I don't know, maybe done differently or just approached a little differently?

Yeah. I

probably had a very linear path to cybersecurity, but in general, what I recommend people looking for a career in cybersecurity is that there is no linear path of seeing people from formal, different formal backgrounds, technical as well as non-technical, make their ways into cyber.

So I wanna encourage everybody to pursue it. If they have the interest, they can acquire the skills. The other advice I usually give people is that you should not think of CISO as the ultimate role in cybersecurity. It's not meant for everybody, even though it's, it is at the, like the highest point of like, leadership, cybersecurity, but it's not meant for everybody.

I've seen excellent security engineers, incident responders, forensics experts who are world renowned. So if that is your niche and interest within cyber and not management and leadership, pursue that. Cause we need. More of that than CISOs. And, but if you're specifically looking to pursue a career in ciso to becoming a ciso, or are you are a new ciso.

I usually break it down into three things. One is having a functional knowledge like operations, governance, risk and compliance, engineering operations or architecture. Second is a business acumen, whatever industry you are in, learn the business with, how the business operate, how the hospital work, how does the organization work.

And the third is just general management, budget management, people management. So those are the areas I recommend people to kind brush upon within ciso. But don't look at CISO as the ultimate career choice, if that's not for you.


Eric, how about you? What's, something you wish you had known or done differently in your career?


I, first of all, I think there are kind of two buckets of CISOs that are out there. There's the enterprise CISO for, large corporate organization or a corporate organization. It doesn't have to be large. For a corporate organization that is a serving as a relationship, a str, a strategist and a, a business leader.

And then there's the CISO who is highly technical, generally in more startup roles, serving in many capacities. Their hands are, their sleeves are rolled up, they're in there, pounding out new code. And also providing, awesome insight into where the company's gotta go. Those, depending on the company that you're with and the organization that you're with, you might be amazing in one and not effective in the other.

As an example, I would be terrible in a startup company because I am not that guy. But so that the advice that I would give you for corporate CISO enterprise CISO is. Don't assume when you take the role that being factually correct means that you're actually right. Because you can be right.

You can be, you can have all the facts behind you. You can have all the data that shows your decision is the right decision, but you fail to realize that the role is actually a negotiating role and a business role. And so you have to, if you're working with a partner inside your organization, you're trying to drive a strategy forward, you've gotta, you've gotta meet them on their terms as far as how that's gonna be done.

Now, there are certain things that, of course, should be bright lines, you shouldn't cross the line. But a lot of what we do is not, and so you have to be able to figure out how do you find, how do you ultimately get to that outcome that you're factually correct about while bringing that person with you or them bringing you along, to get there.

Oh, questions keep coming in. Shauna did. Do you wanna add to that? The only thing

I think I'd add, I like both of those. What I would add, and I wish I, what I wish I had done differently early on in my CISO career is have been more intentional about the trust I built early on. I think having trust both with the business and with your internal, like IT type partners, they're critical to whatever type of CSO you are or whatever you're trying to achieve.

And without that trust in those relationships being able to pursue and come to alignment, as Eric mentioned, is going to be more challenging. I would've focused on that early on. All

right. I'm gonna try to speed us up going through some of these questions. Some of these I've never even thought about.

Are you looking into leveraging a more secure network than wifi to decrease connection vulnerabilities? Is that on your radar? It's whoever wants to answer that one it's

not for me. Based on what the threats are that we're facing, are the threats that we're facing are geopolitical nation state, a p t.

It's not local, people sitting necessarily in the parking lot trying to break in, through a local thing. And wifi connections and such like that are more those types of attacks and more localized attacks. And that's not where our launch is getting handed to us. It's elsewhere.

And so, network security of course and segmentation and micro segmentation and those kinds of mindsets are effective at stopping the spread from lateral movement when an attacker gets in the environment and then they're moving east west and trying to get around. Those are really effective tools at limiting it.

But wireless itself, I, yeah not on the top of the list. Let's see.

What are you looking to change in your security portfolio this year? Is there any area that's sort of risen? I mean, ransomware was so huge for so long, and obviously we still need to protect against it. Is there something that's sort of on your radar that's rising right now that you think, we we're probably gonna need some tools around these different areas as we move forward.

And you can speak in general terms, not specific terms. That would be fine.

I would say it's something that I think, bill, you and Eric touched upon earlier, it's resiliency. We're trying to make sure that we identify our crown jewels and make sure that we have downtime procedures for all of them that are documented. And we can operate without the application for a predictable amount of time.

Because we the length of outages due to ransomware, Have been in not weeks, but months. And we all saw that during the Kronos outage being without like one to two months for, without being able to process payroll could cause like significant damages to an organization. So resilience is something that, that has kind of risen up given ransomware and other things that can

go wrong.

Shauna, how about you? Is there something you're looking at right now that you're like, Hey, we might need to add some something to our portfolio?

I think for me, I would only add to that the being prepared for artificial intelligence, I think there's a lot of interest in the healthcare industry to understand how it can help our healthcare workers be more effective and efficient.

So how do we enable that? Securely. I think there's a lot of opinions about it and I certainly have my own mixed opinions. But recognizing that's heading my way is something that I'm thinking about coming

up. Let me throw one at you. I was talking to a CIO today and he was asking me if I heard of health systems turning off access to ChatGPT and I said, I really haven't.

I said, why do you ask the question? He goes, cuz there's an organization next to us that has turned off access and they're not in healthcare, but they're some other industry. And he goes, they're essentially the people were using it and putting like patentable or their patents essentially on to ChatGPT saying, oh, I wonder if it can help me with, X, y, and Z.

And it's like, no. That's like our intellectual property. You can't do that. Well, Couldn't we have that same thing happen in healthcare? I mean, couldn't we just be putting p h i right out there? Is that something you even consider, like blocking access to a tool like that? Eric I'll come to you.

Scary. And what's scary about it is do we really know how those models are working? You read the terms of use and things unlike Open API or sorry, open ai, and you hear what they say, but you know that the models, that the inputs that you're putting into chat, G p t in, in particular are being used to turn back around statements because you can talk with it and it remembers what you've talked about.

So, and of course there's gotta be value in, in millions of people, submitting questions and retraining the model based on that. So, It is it is a bit of a Pandora's box. It has been opened and for sure conversations have been happening in healthcare about p h i, going into, those kinds of organizations.

What are the right contracts, the BAAs, the data leakage, the control, that you can have around that. How do you actually leverage it in a way that can be helpful in a healthcare space? It is bleeding edge right now. And so, you gotta be careful is the easiest way I would say there.


And I'm sure we can talk about this for a while, and I don't wanna get bogged down on it, but it is a great example of a hundred million people. Like, it felt like a hundred million people between October and December signed on to start using this thing. It's like, oh my gosh, how did this, like, where did this come from and how did it get so big so quickly?

But that's the kind of things as a ciso. You're dealing with. It's like, oh, we've got a new attack vector. Like, it is just, it's just really interesting. Let's go back to when will something like pass keys make it to eh r vendors? I know. Anybody want to take this one?

I'll take that. Actually.

When I was looking at the I think it's probably the, my favorite question of the day. I think very rarely there's an opportunity for a security professional to deliver something that is both secure and convenient. When does that happen? We usually put security in convenience on opposites ends of a scale with things like passkey or in other words, I will generalize a little bit with 5 0 2 standards, if we can offer our patients the ability to log in more securely and more easily by, more easily, I mean, without a password.

We can prevent medical fraud, we can improve access to care. We can increase adoption of MyCharts. But the biggest roadblock or the uphill battle organizations would face in that is, and we're going through that journey right now, is decoupling identity and access management from your EMRs into standalone systems.

Cause right now, EMRs, besides handling all the clinical workflows, they also handle patient authentication and usernames and passwords. In order to leverage something like this and have a flexible architecture rather than a monolithic IM identity and access management architecture, you need to decouple the two.

But the benefits are they long they hugely outweigh the


Are the EHR vendors amenable to decoupling them? No but that model makes sense to me. Depends on

the em, it depends on the EMR you're using. Right, right, right. I think I know which one. No, that's thanks for saying that.

I mean, what you just said makes perfect sense to me. And then I thought, wow could we actually do that? And there's still some conversations to have before we, we can really get to that point. Let me next question. Given the recent NIST guidelines that say, first you need to inventory your p h i, what, say you on that guidance?

I love how they phrase that question. What say you on that guidance? Are we inventorying all of our phi? Do we know where all of our phi is? I mean, let's just talk. As an industry, I think we would all agree. We don't know where all of our p h I is. But the guide set for is in every asset that we


Yeah. That's where it's, I mean,

but is there a push to inventory all the phi to like find it first?

So here's, this is where I was going at the beginning of this. I'm just kind of briefly touching on it. The idea that we have crown jewel secrets and troves of databases and repositories of things in locked corners and closets that we throw all of our controls around and control like traffic, cops, the data going in and out and it's gotta pass through a toll gate before it can leave.

That is not how healthcare works. It is an ecosystem. It is connected, it is interfaced, it is flowing. Understanding your, of course, your key assets, how, where your assets are, your endpoints, your servers, your applications is important for being able to secure all of that. But the data mapping construct, in my opinion, is like, I made a joke about it, but it's true.

I mean, that literally, we are a profession. We're 80% of our workforce must have access to PHI in order to do their job. This is not Koch's secret formula where only two have it, and you apply a very structured, sort of dogmatic approach to finding where it all lives. So, the discovery of p h I can be useful for data protection regimes, data loss prevention regimes.

In order to do that, right, you've gotta have fully automated systems that understands how to classify, contextualize it, and then apply rules around it. And those things can be pretty expensive when you do that at scale. So, I think in, in, in general the advice I give is you gotta look at the whole program.

You gotta look at the whole construct of what you're, of, what you're covering, and what are the threats that you're worried about, from a data mapping perspective, what does that get you to from a threat perspective? Is it data leakage? Is it, things moving out to a partner that it shouldn't be moving out to?

Is it an individual being able to accidentally disclose information that they shouldn't be able to disclose? When you look at it under that way, then you look at, well, how do you put the controls and roadblocks in place for the action that would cause the problem to happen in the first place?

I think the first part of that answer is really intriguing to me in that like, I could give you a map that showed if I could give you a map that showed you, here's where all your PHI is, you would look at me and say, that's great. That's where it's at right now. A second later it's gonna be different.

Yeah. But during the day, yeah it's gonna move up here, then it's gonna move down here, then it's gonna move over here. And it looks more like that traffic map that you see. It's like, there's the phi, it's going from here to here, and now it's going here to here. And it's just moving at all times.

Knowing where it originates in stores is important, but also knowing how it flows through the organization also incredibly important. Absolutely.

Now, if I can just add to that bill, and I reckon I agree with everything that it's a very dynamic space and you have to assume that it exists everywhere.

So you gotta look at a data address and the traffic model, which is data in motion. But one thing I would strongly recommend everybody to look at is exact data match that are a lot of data loss prevention tools that offer that meaning the false positives are literally not there, as opposed to regular expressions where you say, oh, the nine digits make up a social, but they could also be a credit card and what have you.

So investing in exact data maps can significantly increase the fidelity of your capability to identify phi, whether address or in

motion. All right. All play. And Shawna, since you didn't answer the last question, you're gonna go first on this one. What is your strategy for ensuring an adequate cyber budget?

I. I go

back to what I mentioned in one of my lessons learned building trust. I think having the trust of my executive team that when I request budget, it's because I actually need the budget and I've done my due diligence to know that I am going to be responsible with those funds. I'm going to appropriately mitigate risk with those funds and that it's the right thing for the organization.

And that's taken time to do, to build. But, it's led me to a really good place where, I usually don't have those

challenges anymore. Vic, how about you? Any specific strategies for securing the adequate budget? Yeah, I think this is

the most. Toughest question. I'm glad you didn't ask me first but it's difficult.

I think I think the better the security professionals become at com determining true risk, communicating it, and then showing changes in risk posture with either an investment in tool or changes in external threat landscape can help with the budget, but it's, it is a struggle. I don't have a clear advice that will help people get

the budget

they need.

There's no magic secret. Eric, do you have a magic secret way to get all the budget that's needed for cybersecurity?

So start measuring your cyber program as an investment to revenue, not as an investment to it, and figure out the percentage associated to that. Then marry that up with where, maturity for now is okay.

Although I think cyber maturity is also a thing that ultimately needs to change and get into effectiveness. So if you tie your investment to maturity, one would assume the better investment, the better maturity should occur. Don't assume that hypothesis is actually accurate, though you can spend money and not actually achieve value and just waste it.

But you know, once you get to a level a a steady state, or if you're in a growth period of investment, determine a ban, an upper range and a lower range and work with your C F O. And if you're at a state where you feel like that investment can wiggle within a five to 10% of that upper and lower range.

And then that allows you to time to flex and to squeeze and to grow. During financial pressures and financial times, it gives your C F O and your executives a range to work with, so that they understand what underinvestment looks like and they also understand what overinvestment can look like.

Well, do you have industry benchmarks? I mean, do you, like Oh, you

would ask that question Very coming very soon. The landscape analysis that we're doing right now in this joint partnership with the health sector courting council, cyber working group this month will be hopefully, knock on wood, be releasing some analysis that shows exactly what, at least what 60 hospital systems who have participated in this are looking like from an investment range.

So we've done we've box box and whisker graphed this and showing what the lower, the lowest 1% to the top hundredth percentile looks like. And as long as you as long as you account for all your cyber costs, that's not just your cyber budget, that's in your portfolio, because you might not own operationally all of the elements of cybersecurity, right?

But as long as you normalize to that, you'll be able to show where you are in that threshold and that might help you. Yeah,

I assume all of you have a slide that shows. That Scripps lost 210 to 250 million that every now and then you pull out to say, look, this is what happens, or what could potentially happen if we have this kind of an event.

And you can obviously scale that to your organization and say, this is what it means. But you can't play that card all the time, can you? I mean that, like you, you can maybe throw it out to the board and say, you may not have known it's this much money, but you're not doing that every time you do, Hey, I need to buy a new tool.

Remember, 210 to 250 million?

Yeah. This is where I say our profession, the enterprise CISO side of the profession. You need to be a business leader. And that means you need to have financial acumen and you need to be able to put a performer together, my opinion and show what the costs look like.

What you're gonna scale to and what those costs look like pursuant to that scale. And then how you fit within a range, just like any other executive would be expected to do in healthcare. Talking

about range, period, like in general, I've seen nine to 15% of it as being that range for cyber. And again, it depends what's included or not, but just like a high level nine being the least mature organization, percentage of it and 15 being a healthy percentage.

That's what I've seen generally used. Again, a lot of validation that needs to happen there, but just to give out

a reference.

All right, I'm gonna try to get through six questions in six minutes. Here we go. What level of priority and investment is being made to address things related to IoT and medical devices?

Who would like to take that with a one minute answer?

Mid middle class, upper middle class level priority.

Yeah. Because there's so many of them and they're related to patient care. So,

And it's, is it the exact way that we're getting beat right now? That's up for question. There's other ways that we're getting beat, but important.

Shauna, what's the number one? I'm just gonna start calling on you. It'll keep the time. Shauna, what's the number one threat keeping you up at night as technology world changes constantly.

Patient safety. I mean, at the end of the day, like we're, we are a health system and how do I, as a ciso let our organization continue to keep

patients safe?

Yeah, absolutely. Vic, how is AI changing the I'm gonna change the question. It's, they said, how is AI changing the patient experience? I'm gonna ask you, how is AI changing the cybersecurity, the protection of patient data? I don't think it's being

helpful at this point. It's mostly another vector of compromise and we have no tools that are designed to have a secure AI


So are you using it internally to start? Look, I mean, one of the problems we used to have is way too many dashboards and alerts and we just didn't have the resources. Is AI starting to step in there and weed those out a little bit for us? No, not yet. Okay. Let's see. How important are historical downtime statistics in choosing a cloud hyperscaler for patient or clinician facing applications?

And Eric, you get to go next.

Past performance is always important to look at. Is it always gonna be a predictor of future? Not necessarily. So, and more important is understanding how critical that app is to your business operations. And if it is highly critical plan for it to be out.

And it's interesting, you put stuff in the cloud and you're like, well, look, Amazon is pretty reliable.

And, but what you realize is enterprises that go into Amazon build out resiliency within the Amazon cloud. Like they expect this region or this whatever to fail and they're gonna fail over to another region. So even if you're moving stuff to the cloud, you still have to do all that work of saying, okay, what if that fails?

And build it out. And we've talked about that a bunch. Shauna Healthcare considering security, so solutions like D L p, CSBs, S W G for their clinics and remote telehealth workers. And I'll be honest, I don't know what all three of those acronyms are. Are you considering them for clinics and remote telehealth workers?

Of course. Of course, I think you have to make sure that you're covering both on-prem and off-prem with your control, your security controls. And that's really just understanding the architecture and where your risks are.

Yeah. Wherever they are, you have to protect it 100%. Ciso collaboration with data protection and storage teams to ensure airtight environment. This is the problem with these forms, they don't form a question. But I assume you guys Vic, I'm gonna, I'll go to you. I assume you have a great relationship with the the internal IT team with regard to standing up the right protocols and security practices.

Yeah, and I think it's I think what they're asking is how do you balance that relationship? And I think Shauna touched upon it earlier, which I like very much, is like building trust with the teams, making sure they're educated on the cyber risks. And what we normally do is we have a risk acceptance framework where we separate we make sure that the business that is benefiting from an investment is also accepting the risk.

So if they wanna go hundred miles an hour, they accept that risk. And it's not the cio, the CSO,

accepting the risk.

And Eric, this will be, I think this will be the last question. How does API security stack up in the list of priorities in 2023? So,

This is part of your cloud journey and part of your digital journey.

And a, as your, depending on where you are in that spectrum, if you're going, pushing heavily into cloud infrastructure as code, all of that, then incredibly important because it is part of your. Life cycle of protection and review and configuration. So if you're not there yet, then it might not be, it might not stack up as, as high on your list of things to do.

Automation are you guys, is automation a big priority right now for security officers? I see heads shaking. Yes. So, so we just actually

hired our first data scientist and trying to play out a really interesting space of how can we leverage data science to sort of solve for some of our challenges.

Very new, so nothing to showcase yet, but something we're certainly

interested in. And definitely the last question. Are you seeing SaaS solutions that will identify the risk and then dynamically use a. S e to resolve these incidents. Sorry, I should have my glasses on, but are you seeing SaaS solutions that popping up in that manner?

Yeah, I

think sasi solutions such as security at the edge of cloud security access brokers are gonna become increasingly important and a must have in your toolkit to handle security with SaaS

providers. Fantastic. Hey, I wanna thank the three of you for being on the hot seat and taking as many questions as you did.

Really appreciate it. Shauna, Vic, and Eric, thank you very much. Thank you. Thank

you. Thank you.

I love the chance to have these conversations. I think If I were a CIO today, I would have every team member listen to a show like this one. I believe it's conference level value every week. If you wanna support this week health, tell someone about our channels that would really benefit us. We have a mission of getting our content into as many hands as possible, and if you're listening to it, hopefully you find value and if you could tell somebody else about it, it helps us to achieve our mission. We have two channels. We have the conference channel, which you're listening. And this week, health Newsroom. Check them out today. You can find them wherever you listen to podcasts. Apple, Google, overcast. You get the picture. We are everywhere. We wanna thank our keynote partners, CDW, Rubrik, Sectra and Trellix, who invest in 📍 our mission to develop the next generation of health leaders. Thanks for listening. That's all for now.

Thank You to Our Show Sponsors

Our Shows

Today In Health IT with Bill Russell

Related Content

1 2 3 269
Transform Healthcare - One Connection at a Time

© Copyright 2024 Health Lyrics All rights reserved