This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Today on This Week Health.

And that really is the frontline battle that I think. We can help with, right? Helping that transformation happen by helping connect people who are in that same trench, they're in that same war with you, and they're trying to figure their stuff out too.

Thanks for joining us on this keynote episode, a This Week Health conference show. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health, A set of channels dedicated to keeping health IT staff current and engaged. For five years, we've been making podcasts that amplify great thinking to propel healthcare forward. Special thanks to our keynote show. CDW, Rubrik, Sectra and Trellix for choosing to invest in our mission to develop the next generation of health leaders. Now onto our show.

(Main)   all right, it's keynote. And today we have a special announcement and special guests on the show. Drex DeFord has joined the team at This Week Health as President of the 229 Project Risk and Security Community.

And he has joined us here this morning. So Drex, welcome to the show.

Thank you. I appreciate it. This is going to be fun. It

is going to be. I feel like I stole your thunder just right there in the opening. But I wasn't sure how we were going to do this. This is one of those shows that's pretty interesting to me because usually I have a whole bunch of notes.

I've done a whole bunch of research. But this is going to be you and I riffing about Cybersecurity we're going to be talking about the communities that already exist within cybersecurity and risk. And we're not looking to replace those things. We're looking to augment those things and whatnot.

and we're going to be talking about the challenge that those people face and how we would like to support them in that. So it's going to be fun. So I think the first thing people want to know is, why make the move? You were pretty well situated over at CrowdStrike and it's a great company.

You were doing great work over there. Why would you

make the move?

Look, there's a lot of things that kind of conspire, I think to get me to this point. You and I have talked for years about this. From the time you started doing the podcast, I've been on your advisory board, and I think we've had conversations multiple times that have been in the construct of if I wasn't doing this, I would want to do what you do.

And initially those were just offhanded comments because I like what you do. I like the way that you bring people together and you've really built community that and I go to 229 events. And what I hear from people are just like, this is fantastic. I have people's phone numbers. Now I realized that person is really good at this, which is something that I am not great at.

And so I have a, like a new best friend. Like I'm totally going to be picking this person's brain all the time, including the partners who come right. The vendor partners who come and are a part of this. It really started with podcasts, really started with content, helping people share what they were doing and what they were working on.

It's turned into this events work now and the 229 stuff. For me, it was look, I've been in CrowdStrike for a long time. Most people don't realize, but I was at CrowdStrike for three years before I joined CrowdStrike as executive healthcare strategist. So I started with CrowdStrike when they were, let's just say they were a $300 million a year, a RR company, and now they're a $3 billion a year, a RR company.

Healthcare in that helping John Kirkman and others start that healthcare vertical at CrowdStrike has come a long way. there's still tons of work to do, obviously, there's still tons of work to do in cybersecurity. But you and I continuing to have this conversation about what's next and what's next for me really Put me at a point where I was like, I think I can do more good for cyber security, helping to organize and build this community that we're talking about, than I can probably at any individual vendor, sponsor. Organization. And while I loved my time at CrowdStrike, I still think it's a great product.

I think there's more good for me to do doing this. And that kind of drove me to the decision.

I don't know if people know this, but you've been with me in this. Since the start, I think you were episode two or three. Yeah. I think David Chou was episode two.

At that point, he had a massive following. I thought, oh, I'll have David Chou on and we talked. And I think you were the next week. And then Sue Shade was the fourth week. I just read, we clicked on that first show. It was a very natural, it was a very easy conversation. And I thought, I'm going to have him back on.

That was fun. Cause I was new to this and it was a lot of stress. The first couple ones I did. And with you, it was just a natural conversation. So you were around in the beginning of the podcast, but I don't think what people know is you were around at the beginning of the genesis for the 229 project.

as I tell the story February 29th, 2020 was the first reported case of COVID to the CDC. And, my phone started ringing, your phone started ringing, and people were saying, Hey what's Vanderbilt doing? What's UCLA doing? What's, and I'm like, call Neil, call Mike, like, aren't you calling these people?

They'll tell you what they're doing. They're like I don't really know him. I've seen him up on stage. I don't really know him. And you were one of my first phone calls. And I said, Hey, what's, how are you experiencing this? And you're like, yeah, I'm getting these phone calls too. And I'm bringing people together.

We're doing open zoom meetings where people can just drop in and we're talking about what people are doing and stuff. And so we had a similar vision of there's got to be a way to support the community at this time. And so we did what we needed to do. over that short period of time. And then we started to have a conversation of, okay we're through the really difficult part of the pandemic from an IT preparation and getting things stood up.

But we have to go back and solve this problem of the community's not as connected as was required for a pandemic and probably is not as connected as it needs to for the challenges that healthcare is going to face. And we just started spitballing and saying does it look like this?

Does it look like this? And eventually what was born were these two and a half day round tables. And the agenda is the people in the room, facilitating them having conversation, because as we brought more CIOs into the discussion, They're like, Oh, there's too many events on our calendar.

And I said what's the best part of the events? They're like, Oh, that's easy. It's like when we go over to Starbucks or when we go to a bar and sit around a table and we talk, I'm like, what if we did a whole event that was that, and then we're just like, yes, that's what we want. We want to sit around and talk to each other.

I'm like, all right, let's do that. And you were there through that whole process. And now you've been to a couple of 229 events. It really is. The vision we had for it early on, it's really working out.

for both the sponsors and for the attendees, the CIOs or the CISOs that have been in the room when I've done a 229 event the response Afterwards, when I talk to them, it's always just can I sign up for another one?

How do I go to another one of these? This was so good. the other people in the room talking about, this is what I'm really good at, and this is where I'm really struggling, and finding those people where there was a great overlap of you're struggling with something I'm really good at, and vice versa, we can help each other.

And it was permanent. Long term connections that happen in a room like that are really rare. it's hard to make those connections because we're all professionals. We go to these conferences, we're nice to each other, we smile, we see folks on stage. Often those conversations aren't super specific.

They're very high level like you walk out of sometimes those panel discussions or other things and you're like, that was good. I don't know that I have something practical I can go home with and implement and actually make things better. But with 229 events, people sitting at the table taking Copious notes, things other people like them at organizations like theirs with problems like theirs are teaching them, telling them, here's how we solve that problem, or at least here's how we're thinking about that problem, because sometimes it's just misery loves company, people sitting around having the same problem talking about the issue and the challenge.

Can often come up with some options for solutions, and we see that happen at 229 events too. So it's a really cool, unique, bespoke event I've never seen anywhere else.

Yeah. And so you and I have been talking a while about, how can we scale ourselves? Like, how can we have an impact on the community?

And a lot of people make the mistake of thinking, it's my thinking that is going to change healthcare. They need to hear my great thoughts. And that's what this is all about. And I think the thing that you and I both share is just having done this for so long, and been interacting with so many smart people that it's like.

I just want to facilitate that smart person talking to that smart person talking to that smart person and we do that, via webinars. We do that via the podcast, but it really and we're going to do it next year with some local events. We're going to be going to some cities and that kind of stuff.

But the 229, this round table format. is really fascinating to see the electricity start as they go. Hey, I'm having this problem and, we're trying to implement this thing. We think we can do this and we got, we got stuck here and then have these other people just lean in and go, it's really interesting that you're trying to do that.

We've wanted to try to do that, but we got stuck here and somebody else going, Oh, we got through that. Here's how we got through that. But we got, and they essentially start helping each other. to ideate and solve those problems. And that's the magic. and this is why I think we're so well aligned, is we're just unlocking the incredible, knowledge and experience of the healthcare community and giving them the right platform where they can interact with each

other.

Yeah, my friend, Wes Wright at Ordr, when he was my chief technology officer at three different jobs, and he used to say to me, all the time you don't even know what you know. People have to ask questions, and then you start talking about things, and people in the room are surprised that's a really good thing for us to know, or that's a really good piece of experience that you have that we would have stepped on that landmine without it.

I think we're not alone in that, right? And sometimes it's I don't necessarily want to talk about all of my own experiences. I want to hear about other people's experiences. We're lifelong learners, both of us. So this opportunity to get smart people in a room and kind of throw something on the table and let them debate it or carry on about it.

That is, to me, the Most fun I can ever have. I can be a part of that, I will be a part of that, but it's also really cool to hear other people talk about their experiences and, to use an overused word maybe, but the diversity of people in the room, the diversity of their experiences, right? Here's what we did well.

Here's a landmine we don't want you to step on. Here's a thing that we think if you move a little bit to the right, you can see that there's actually a gap that you can run through on this project. Those are super cool insights and you can get them from people who are also in the heat of the battle at the same time with you.

That's good. That's just good.

let's talk about, when we started having the conversation, it was like, all right what community would you run out and be a part of, and you immediately gravitated towards risk and security. And, my first question to you was, isn't that already a pretty well organized.

group within healthcare. Talk a little bit about that. they

Yeah, I think there are great opportunities for cyber professionals to learn from each other today.

Usually in a structure. Mostly of associations, or a lot of it is in the structure of associations, and a lot of those are events that happen from time to time, and often in a lecture sort of series. You have a saying about this. Yeah,

Inspiration happens in rows, and transformation happens in circles.

Inspiration happens in rows. yeah, when that

person is up front, they're typically inspiring you. They're saying, Hey, look what we've done. Isn't this amazing? And you sit there and go, yes, I can do this. But transformation happens in circles because it's you and I sitting there going, what'd you do again?

So how did you get, it's a discussion, it's a conversation. And generally when we're interacting with each other, that's when transformation really happens.

And that really is the frontline battle that I think. We can help with, right? Helping that transformation happen by helping connect people who are in that same trench, they're in that same war with you, and they're trying to figure their stuff out too.

And I'm not saying that there aren't other places where that can happen. I think that healthcare, cybersecurity, and risk is unique enough. And interesting enough, and important enough, given that it's, 20 percent of the U. S. economy, it's it's important enough that we ought to just do everything we can to try to help make these programs better, help make healthcare, you hear me talk about this all the time, but better, faster, cheaper, safer, easier access for patients and families, and all of that ultimately is connected to good cybersecurity.

You and I talked at the end of the year last year David Ting, Laura Toole, you and I did a sort of a year in recap. And part of that was looking at, hey, how did we do in cybersecurity? And it, in some areas we're making progress, but the numbers would not indicate we're making enough progress at this

point.

Yeah, more records breached in 2023 than ever before. We continue to just see major events that take health systems offline. for days or sometimes weeks at a time. When those things happen, I get calls from clinical friends who work at that organization who say things to me like look, I went through medical school with electronic health records.

I don't really know how to do this on paper, and I'm really concerned for a lot of reasons. I'm concerned for the patient's safety. I'm concerned that I'm going to make a mistake, an unintentional mistake, but this isn't how I work, so I'm doing something completely different in a really critical environment, and I'm going to make a mistake, and maybe the state's going to take my license, right?

I may hurt the patient or, cause death in a patient. Those are all the things that, for me, when I look at 2023 and the speed of the adversary, the innovation of the adversary, the bad guys, the way that they have continued to improve their craft I, despise them, don't get me wrong, but there's also a part of me that admires their business plans and the way that they continue to innovate and are very creative in how they attack healthcare.

we have to help our crew, our cyber security team, figure out how to get ahead of that and stay ahead of that. And while, 2023, I think there's just still a long way to go. And it's not that there's an end point in this war. I think it's an ongoing war. What we have to do is create a situation where we can continuously improve our stance, our footing on that battlefield.

How have you seen

The phrase, the future is here, it's just not evenly distributed. should know who to attribute that to. I don't have that correct. I know I

hear it all the time too, or I've heard it for years too.

have you experienced that in the cyber world? I experience that in healthcare all the time where I think.

Somebody says something to me, I'm like, call this health system, they've solved that problem already, or they've addressed that. And I've heard Judy Faulkner say the same things, like if we could just get, all of our clients to do what our best clients do, we would make a significant dent in healthcare.

Is that true in cybersecurity as well? And have you

seen that? Yeah, no, I think there are definitely the, as with most things in healthcare there's the haves and the have nots, I think healthcare is a lot of different things across that entire industry. Big health systems, small rural community hospitals, some health systems have decent margins.

Most of them have very thin margins and they have to be very thoughtful about how they spend every dollar. The wrestling for talent is real and it doesn't matter if that's an epic analyst, but it definitely applies to cybersecurity. And so there's definitely the challenge of the haves and the have nots.

And I think a big part of this ultimately is how do we create A situation where, to use another turn of phrase, a rising tide lifts all ships. I think there's got to be work and there is work that is going on now that I think we can talk about and make more public, help people understand there are resources that are available to them today that can

help them level up their programs that aren't going to cost a lot of money. And that there's ways of thinking about how to level up their programs that may be different than the traditional way that they've always approached cyber security. Hire more people, buy more stuff. I think there's other ways to think about this whole approach.

Yeah. During

our recent discussions, you were actually at a national meeting, which I assume is associated with the government in some way. And you were just talking about the great material and content that group has created. Talk a little bit about that.

Sure. I'm a member of the Health Sector Coordinating Council Cybersecurity Working Group.

So there's a lot of acronyms in this, the HSCCCWG. And in that is a group called 405D, which. Refers to a particular piece of legislation, but that group has created a ton of material about everything from IoT to incident response to, modernization of equipment tons of great material that's actually available.

But it's hard, I think, when you're the government for a couple of reasons. One is you create this material, it's a lot of volunteers, it's some super smart people, and that was the all hands meeting in Salt Lake City at Intermountain that I had attended when I was talking to you. But they create a ton of material and sometimes the challenge is Getting the material out there and letting people know about the material.

Plus, the material sometimes has some weird acronym y kind of kinds of names that you wouldn't immediately hear that term and think, oh, that might be something I could use, to help solve this problem. That's definitely one of the paths of the podcast that I'll create and some of the community conversations that we'll have will be around those materials.

And talking to the people who create those kinds of materials, and why they thought it was important, and how it can help, and how it can be applied, and examples of others who are applying that material today. All of that, becomes a really important part of this sort of motion of Chris Inglis, who was the National Cyber Director at one point, said, we want to create a program, essentially, we want to create a national healthcare program, or national program around cybersecurity that is You have to beat all of us to beat one of us.

And I think it's something for us to aspire to, right? That really is the kind of community that we want to put together, that a lot of the little things we've figured out and everybody can use those things. And that's, back to the a rising tide lifts all ships, we need to level up everybody's program as much as we can.

And a lot of that is just. knowledge and sharing and connections and relationships and knowing that you've got people you can call who can help you like that without thinking I have to, buy some big amazing thing or create some kind of, massive contract or, do some significant.

Ridiculous project. Yeah, we're

spending millions and millions of dollars. The, people are going to hear this now and they're going to think, man, these guys are just really throwing this together as they go. But one of our principles is to get as much input from the community as possible.

as we move forward. Now, we know, and you mentioned this, we know we're going to launch a podcast and you're going to be the host. We have no idea what the format is going to be, but we do know that the topics will stem around risk and cyber security. And so that's in development. stay tuned for that.

you talked a little bit about it, but what's your vision for

that right now?

Initially, I'll I have a working name on hacking healthcare. And the idea is that there's a lot of things that we can talk about inside of the construct of that. One of those is just.

Getting to know the people who are doing the work that is unhacking health care, the unhackers, maybe, that are actually doing this work today. Understanding where they came from, why they're so passionate about the work that they're doing and how they're creating and delivering the things that they're delivering in their own organization, but it's also getting to know them.

In some cases, on a more personal level and what makes them tick. But I think there's another whole sort of lane of this that's tied to the 405D program and working through a lot of the material that's there and why it's important and how it's used and who's using it. And I think a lot of other things too, right?

It's unhacking healthcare, but it also, I've got a feeling, a thought about It may also be unhacking CFOs. We talk to CFOs and how are they involved in cybersecurity and what are they doing? What are the good ones doing? And what, what are the challenges for them?

It may be unhacking CEOs. It could be unhacking CIOs, right? And the relationships that have to be built in all of this. We talk about all the time how all everything's connected to everything else. So when I say better, faster, cheaper, safer, easier access care for patients and families, cybersecurity is connected to better care because.

If you're down and you're offline because of a cyber security incident, you're not going to get better health care, faster, cheaper, safer, all of those things apply. And it's not just about cyber security in its own lane, right? It's. infrastructure modernization, it's application modernization, it's the people who are on the front lines.

I talked to Teresa Meadows a few months ago and asked her, how many people on your cyber team? And she said, 7, 247 or however many people work at Cook's Children's, right? And she meant that. Their culture there is everybody's a part of this fight. And so There's a lot of things, I think, inside of this idea of unhacking healthcare.

I have no shortage of ideas. I have a board full of ideas over here right now, I think the hard part is going to be sorting some of this stuff out and figuring out what works. and I have talked a this idea of the Toyota lean production idea of perfect is the enemy of good.

So I can tell you that as I start this, There's a 0 percent chance I'll get it 100 percent right. We're going to try stuff and it's probably not going to work, and we're going to try other things, and that's going to light up and going to be really good. And That's how you've worked for the last five years at This Week Health, and it's a big part of what sort of drew me into the family.

Yeah,

and appreciate that. And our core value is better, right? So we're always looking at something like, how do we make it better? And perfection is to be strived for, but never attained. And so we always know we can do a little bit better. Some of the other things that talked about and we're going to be doing, we'll do four CISO roundtables.

And the first one is actually the second week of February, and that one's full. And we're looking forward, that'll be the first one that you'll be hosting as This Week Health, which will be great. You've been in the back as sponsor with CrowdStrike. A couple times, but this time you'll actually be sitting in that chair.

I will be over with the CIOs, because we're going to be doing two events at, on the same weekend in the same location. So you'll be hosting the CISOs, I'll be hosting the CIOs. But the plan this year is to do four of those, four CISO roundtables. We're already planning our second one in June.

Third one will probably be in July, and then we'll do one in the fall as well. We will have those roundtables, but I think one of the things you and I are excited about is there's people whose travel budgets have been cut, and, it's just hard for them to get out, and we've been talking for a while of how do we take this out.

And we're talking about doing a 229 project city tour and getting to a number of cities this year. Number of cities to be determined based on, what makes sense and what the response is. From people. So we have a lot of ideas, a lot of thoughts on the table, one of the things I think we want to do here is let people know hey we're bringing this community together more often.

I realize that they're connected in a lot of ways. We're bringing this community together. Your job every day when you wake up in the morning is to think about this community. I think about the health IT community. And I love the fact that now a partner, somebody who's going to be thinking about a specific part of the community.

And I love it if we could continue to grow this way and have these communities have leadership like yourself grow out. But, would love to hear from people. what are your thoughts and ideas? I'm bill@thisweekhealth.Com Drex is, as you would imagine, drex@thisweekhealth.com There's a lot of opportunities, I think. And, we really do believe that, that connection, bringing people together, having those conversations and facilitating those conversations is where the magic is going to happen. I'm excited.

It's gonna be a fun ride. I think we're gonna do some fun things.

Yeah, I'm excited too. I think this is going to be for me, it's I've gone through my career always looking for a longer lever that if I push down on that lever, I can make healthcare better. And so that's been from one job to the next has been the analogy in my head.

And I think this can ultimately be like, Maybe the best lever I've ever had to be able to make healthcare better, faster, cheaper, safer, easier to access.

am looking at this. I'd just be remiss. First of all, I have this picture of you. You have more headshots than anybody in America.

It's true. It happens. I don't know why.

Yeah, and some of them are very creative and artistic. So clearly, Some marketing and creatives have had a chance to look at it, but I'm looking at your bio, your bios and your post yesterday. So people have an idea of when we're recording this talks about your U.

S. Air Force veteran previously executive healthcare strategist at CrowdStrike, CIO at Stewart Health, CIO at Seattle Children's Hospital, CIO at Scripps Healthcare and then CTO, United States Air Force, Office of the Surgeon General. And you served in the military for what about 20 years?

20 years and 21 days. Yeah.

20 years, 21. And you were in combat areas

a couple times. A couple different times. Yeah. I enlisted as a, just a farm kid that didn't have money to go to college. And so I enlisted because I found out that I could go to college at night and the air force would pay for it.

And so I tested. Luckily into the computer space. And this would have been, the early 80s. And so I learned about computers back before the Internet was a thing and back before browsers were a thing. And, I used ARPANET back in the, old days, right? And then I finished my degree, got commissioned as a medical service corps officer, a hospital administrator, and I wound up weirdly as the hospital administrator who knew something about computers.

And that was before there were CIOs, or that was even a career field, or people were even thinking about it. And I'm like the luckiest guy on the planet. And that just continued. Small hospital I was at the Air Force School of Healthcare Sciences. I ran one of our regions with 14 hospitals across the southern U.

S. as the CIO. Then I was at one of our medical centers, David Graham Medical Center, and then the Chief Technology Officer for Air Force Health's Worldwide Operations. before I retired. And in there, there were a couple of opportunities. Iraq invaded Kuwait. I was in the first Gulf War, running an air transportable hospital in Saudi Arabia, but I was all over that peninsula prior to and during that war.

And then, back 10 years later to run one of the hospitals that I had actually built. at King Cleet International Airport. This one actually was in a little further north than King Cleet International Airport, but I was back to do Southern Watch, no fly zone support in Iraq. Yeah, it's been a crazy career.

It's been a crazy life.

, you and I had a chance to sit down for a whole day, so I got to hear your story. I think in its entirety for the first time, maybe not its entirety. You didn't tell me the whole story, but I thought one of the things that was interesting in it is probably one of those things that would have made you a great CIO during the pandemic.

Is that military experience and you were talking about, standing up the hospital and whatnot and you're in those areas. And as you looked at how patients were flowing in and out and all that other stuff, you're like, what we were doing before isn't going to work anymore.

Like we've got to do something completely different than what we did before. And you guys just switched it up. Talk a little bit about that process.

Yeah, I think that, at the time, you always go, Mike Tyson has a saying too about everybody has a plan until they get punched in the face.

And I think that was part of this too. We went into the original Gulf War, Desert Shield, the prep phase with this plan of soldiers will get injured, combatants will get injured, they'll come back to field hospitals, they'll get patched up, some of them will go back to the front, and some of them will be airbacked out.

And, As we got into the desert storm part of this and the air war, it became pretty clear that as the tanks moved forward that there were mass surrenders and we weren't going to take mass casualties like on the front lines, but the people who got injured. Probably we're going to be pretty severely injured, maybe severely injured enough that we're not going to be able to take care of them at field hospitals.

We're just going to have to Aerovac them directly to Europe. And so rejiggered the entire Aerovac system to just say when somebody is injured, we can just. get them on an airplane and get them to Europe. And we almost bypassed the field hospital part of this, except for maybe some local non battle injury related cases.

And it was a whole different way of looking at that problem and how we're going to take care of soldiers and airmen and, others who are injured on the front line. And those are

almost like flying ICUs,

essentially? They are there. It was a pretty cool, program at the time, some really smart people at the time at Wolfer Hall Medical Center, who put together this idea of how do we do that kind of intensive care in the air?

How do you create an ICU that can fly at this, altitude for hours at a time? There's a lot of issues with that, as you can imagine, with, Lung injuries or other injuries for a patient and they literally just on the fly invented some stuff that made that a reality. They've been working on it for a while.

They've been thinking about it for a while, this is one of those innovative things. The mother of invention kind of thing that when it happened they had some ideas and they were able to put it into practice. It was good for, it was good for everyone involved. Drex,

I'm looking forward to subscribing to your podcast.

I think it'll be a lot of fun. You quoted Mike Tyson, you, you quoted West and, that about covers the gambit right there. Pretty much one end to the other, right? Yeah, absolutely. Again, thank you for being a part of this. I'm looking forward to partnering with you.

I think it's going to be a fun ride. Yeah,

same here. Cheers.

I love the chance to have these conversations. I think If I were a CIO today, I would have every team member listen to a show like this one. I believe it's conference level value every week. If you wanna support This Week Health, tell someone about our channels that would really benefit us. We have a mission of getting our content into as many hands as possible, and if you're listening to it, hopefully you find value and if you could tell somebody else about it, it helps us to achieve our mission. We have two channels. We have the conference channel, which you're listening. And this week, health Newsroom. Check them out today. You can find them wherever you listen to podcasts. Apple, Google, overcast. You get the picture. We are everywhere. We wanna thank our keynote partners, CDW, Rubrik, Sectra and Trellix, who invest in our mission to develop the next generation of health leaders. Thanks for listening. That's all for now.