September 23, 2024: John Kirkman, VP of Government, Healthcare, and Education at Island joins Drex for the news. They dive into the complexities of cybersecurity in healthcare, particularly the crucial relationship between CISOs and CFOs in mitigating cyber risks. How do budget constraints and evolving technologies challenge security leaders, and can collaboration across departments simplify security while saving costs? What can healthcare organizations learn from recent outages like CrowdStrike's, and how should they prepare for inevitable security disruptions?
Key Points:
Articles
Alex’s Lemonade Stand: Foundation for Childhood Cancer Donate
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
This episode is brought to you by Island.
Today's healthcare staff needs safe, convenient, and dependable access to patient data across various applications. Island, the enterprise browser, simplifies and secures healthcare data access. It's a new take on the most common application we use every day, the web browser, tailored for the unique demands of healthcare.
Clinicians can safely log in from any device to interact with HealthSystem applications and PHI. Built in last mile controls keep data where it belongs, so access is simple, data is safe, and patient care is smooth. Visit ThisWeekHealth. com slash Island to see Island for yourself.
Bill Russell: Today on Newsday.
John Kirkman: It's a function of making sure those relationships that are built down the hall more that, you CISO can enlighten to help along the way, then you're not just going down to dad to ask for the money, when you need it, right?
My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health. where we are dedicated to transforming healthcare, one connection at a time. Newstay discusses the breaking news in healthcare with industry
Bill Russell: experts now, let's jump right in.
Drex DeFord: Unhack the News. I'm Drex, and I'm with John Kirkman from Island.
How you doing, John?
John Kirkman: Doing great, thanks for asking.
Drex DeFord: Where are we right now?
John Kirkman: We are in Washington, D. C.
Drex DeFord: At the 229 event, there's actually two events that are going on, two summits that are going on right now, one for CMIOs, one for CIOs.
John Kirkman: Yeah.
Drex DeFord: You're in the other room and I'm in the other room. Yes. But we still get to hang out with each other.
We do,
John Kirkman: thankfully. And we had some stuff
Drex DeFord: that we wanted to talk about from the news perspective. Yeah. You ready to go?
John Kirkman: Let's do it.
Drex DeFord: There's an article in Rock Tour. That is about CFO and CISO relationships being the key to mitigating cyber risk. And it's a good conversation, I think, because you and I have spent a lot of time together working with CISOs.
And sometimes there are challenges in getting budgets to do things that seem like they're totally the right thing to do. But in the spirit of the struggle that health systems have with money right now trying to pull that off can be tough.
John Kirkman: Yeah, I think the way we need to remember always is, things have to self fund in this day and age for the most part.
And you can figure, sometimes people tell you their hurdle rate on their ROI and you want to understand those measures for sure, right? How the CFO thinks the different CFOs are very different from one another across organizations. I've found some, but one thing is common.
They don't want to spend anything more than they have to, right? It's about, how is it that we can make something cost neutral or, even better, save money, right? And that's a much better conversation for a CISO to walk down the hall with.
Drex DeFord: I think in the beginning, especially as you start to turn around a program, or, it's almost not, it's not even just when you start to turn around a program.
A lot of this is also about not being so in love with the previous decisions that you've made, or that you've made in conjunction with your CTO or CIO. Being open to new ideas because technology changes so fast and the bad guys change so fast that you need to embrace the potential for new ideas. And sometimes the new ideas can create an opportunity for you to have a simpler environment which is easier to secure.
John Kirkman: Yes and I think also the thing to remember is, Some of these things have a pretty long tail and predate the folks that are now at the table. And, sometimes it makes it easier because nobody has that sort of religious bent for it. But at the same time, sometimes people don't really understand how that implementation went down and they don't want to break it or touch it.
So there's like an equal parts fear of change. And then sometimes it's, a catalyst for change. But I think. The common thread around all that is when you see things happen to others, it's that opportunity to enlighten and enrich, the senior leaders to understand how that won't happen to us because these are the steps we're taking, right?
I think it's a, a function of making sure those relationships that are built down the hall That's an ongoing conversation and it's not just when I want something, right? So I think it's important. more that, you CISO can enlighten and be that sort of person to bring subject matter experts into the fold or do different things to help along the way, then you're not just going to, going down to dad to ask for the money, when you need it, right?
Drex DeFord: You have to understand money and finances more and more as a CISO. That's a big part of your job. The other part of it, I think, too, we were talking about this earlier you shouldn't feel the need, if you're trying to do something new, to show up with an ROI whatever, slide deck or spreadsheet that you've built completely on your own.
Part of this, you should ask your partners for help with, right? They've seen these ROIs built at other organizations and they should be able to help with that.
John Kirkman: Absolutely. I think if they're not offering that, ask for that. They'll probably jump on it because it means you're interested in what they're doing.
But I would tell you this that thing that keeps coming up is as of late especially now that we're post COVID a lot of expansion into areas that were uncomfortable and big spends went on. And expanding things that they didn't really want to at the time, but had to.
It's going back now and taking stock of that and saying are there things we can rationalize? Can we do from two for one swaps, or three for one, or four for one, where there are these opportunities where the integrations that these software companies have created, should be to your benefit, right?
Can you do that? Eliminate some things, build a roadmap towards it. Maybe you don't completely get rid of some of these technologies, but can you radically reduce them? And there's a few vendors in the marketplace right now that are rich targets for that. I don't want to overplay the hand here, but people are a little bit frustrated with some of these that have either been acquired or, other business arrangements have happened and are a are the victims in that situation, and it's, frankly, it's not cool, but I think the best way to combat that is to find a way to, work towards moving that away.
Drex DeFord: I think you're speaking your CFO's language, too. When you go to them, not just with a project in isolation on its own, but you're helping them understand how you're going to do this thing in conjunction with a lot of other things that you're trying to accomplish to make the environment more simple, I or more cost effective, or more efficient.
It does more things to make life better for the providers or the IT operations team, whatever the case may be.
John Kirkman: Absolutely. You're actually, it is, when you can take something that can help you be more secure by nature, but you can also improve the user experience and then also drive out cost, like that's a trifecta.
You can walk down the hall with pride. And also. It's then you're also joining forces with your, brethren across, whether it's, the office of the CTO or it's somebody in end user compute that maybe you didn't really work with that much and then you band together. Now, a couple of you are going to the office together.
That's going to have a higher rate of success, right? I think it's important.
Drex DeFord: Yeah, I love that.
sarah richardson: Hi, I'm Sarah Richardson, President of the 229 Executive Development Community and host at This Week Health. I'm thrilled to invite you to a must attend webinar on September 24th, where we'll be discussing the future of healthcare cybersecurity. Join me and top experts from Rubrik and Microsoft as we dive into their powerful partnership and explore how they're leading the way in protecting healthcare data.
This is your chance to gain critical insights and strategies to enhance your organization's cyberresilience. Don't miss out. Secure your spot now by registering at thisweekhealth. com slash healthcare dash cybersecurity dash excellence. I look forward to seeing you there.
Drex DeFord: Okay, I'm going to switch topics on you. work together at CrowdStrike. I have covered extensively the July CrowdStrike event. As it turns out, there's an article in Bank Info Security, amazingly enough, that it talks about how CrowdStrike has yet to see any customer lawsuits over the outage.
I don't know that I necessarily want to get into the lawsuit, no lawsuit, whatever. I whatever. But you had good perspective on this when we talked about this in pre game, so why don't you talk about this?
John Kirkman: 100%. Obviously I spent, six and a half years of my life there, and the technology, proud of the work that we did over there.
And, I think the message here is, there's a lot of opportunities at WTO. And it's going to happen again to somebody else, so if you look at all of this complex ecosystem and set of architectures that we have in place, odds are, something else is going to happen. And this is the irony part, it wasn't really, it's not like a cyber thing.
It's a software thing. was
Drex DeFord: an operations interruption, and that is the, that's the killer. It may be a cyber security event. But it can just as easily be something like this that happens. Because we've become so reliant on a number of vendors to help us do a lot of our work. Software as a service, or security as a service, or whatever the case may be.
John Kirkman: So what's come up a lot for us in this conversation is we've heard people, really it's resiliency is like the word that's come up a lot. have an outage of that magnitude. And we're talking about in a health scenario and maybe it could be even something bigger or something that takes longer to clean up.
In that case, it was a function of being able to just physically get those machines back up by rebooting them like hands on. But what if it is some kind of a breach situation? We know some of these breaches of the last couple years where, elevator systems are impacted and telephony and you name it.
And it's taking weeks to get some of this stuff back? Yeah. Holy moly, right? This is not a simple fix. That happens, and so one thing that we've been discussing with people is have another, have a strategy. In our case, we just have folks who can leverage their personal device and still work, which is an interesting concept.
Drex DeFord: And it's a unique capability, for Island.
John Kirkman: It is. The way to think about it is it's just a browser from the end user perspective. They download the browser. They credential in. And now they have access to the applications like that.
Drex DeFord: It's all built in because the browser is unique to that organization.
Is that why it works like that?
John Kirkman: It is. So it's not a browser. This is where I get confused Yeah. Of enterprise browser is you log into the browser, so you are an identified user based on your regular identity policy that you have set up. In any of your IDP scenarios.
But that then drives your experience as the user. So what that means is if you're a third party, you're going to only give them access to the applications that you want them to have access to. And maybe they can't even cut or paste or do anything with that data. By contrast, the same applications without touching any of that code, you want to be able to provide a totally bespoke experience for an internal user where they can Take that data and move it across.
And in a lot of cases, start to create workflows that streamline how that data moves. But you can do more, with greater dexterity for different users. And that's really where we're getting at. But I think cutting back to that disaster recovery, if you will. Resiliency. Yeah. It's if you do these things and you get them set up, you're actually going to find you're getting more benefits anyway.
Okay. And now you've got this too, and I think that's the other piece is it goes back to that, do more with less conversation also, so if you don't have to stand up, VPN's and VDI infrastructures and all this stuff, you're going to be able to move quicker and again, it goes back to more with less.
More secure and better experience. So it's that's the trifecta. Yep. I'm always going to land there, Drex. Sorry.
Drex DeFord: That's okay. We'll do one more. CISA has launched their cyber incident reporting portal for streamlining breach reporting. This is a thing that they've been talking about, we've been talking about for a while.
The portal's now up and running. You can sign up for it, have a breach, report your information all of that. CISA will tell you that look, the reason for it being, for its existence isn't really to punish people. It's so that the government, who has a lot of different resources, can actually, Help.
They can help you if they know that there's something going on and they have a really hard time helping you if they don't know there's something going on. So today, a lot of folks work with their local FBI's or the regional CESA offices or whatever. And if something happens, they talk to them. I think the process is going to become now.
Use the breach portal. That also lets them start to coordinate information from a lot of different places and say Oh, it looks like there's a lot of attacks happening to these kinds of organizations or these kinds of health care systems or in this region or whatever the case may be. But I think there's always going to be some sensitivity to like government reporting.
John Kirkman: you choose to if it wasn't mandated, right? And that's the, and I think. One reason is, I mean it's the right thing to do, but it may go there. Can't bury your head in the sand, prepare. And, the proper process and procedures, but also have the right tooling. There is a lot of technology out there now that can give you visibility and can give you that audit trail that you need.
And you have to really think about those in practice. In more of a what happens if scenario. So you really are building all that with forethought. And so I, just say embrace it because it's here. Yeah. It's not coming, it's here. Make sure that your house is in order. And I think if you have all your ducks in a row, that's something to be proud of.
And you can actually, proudly help the community as opposed to feeling like. Tenuous about it.
Drex DeFord: A lot of this too is you and I have talked about this quite a bit. The incident response version of the continuum, which is like, Oh man, we are really owned and now it's going to take us 30 days to recover.
As opposed to the intentional resilience end of the spectrum, which is like, People talk about if, it's not if, but when. And that is absolutely true, but it shouldn't be like the scary part of this. The if part could be Yes, it's going to happen, but if we can catch it really early and make it seem like nothing ever happened to our end users and our patients and families, that's the resilience we're looking for.
And you can have that kind of an event. It doesn't turn into a breach. You still report it to CSIS so that they know there's something going on. But from your perspective, from your end users perspective, from your community's perspective, it's like nothing ever happened. So it's about how do you shift that whole.
It's not a catastrophe, but you shift it down so that you can lock this up real tight in the beginning. That's the operation you're looking for.
John Kirkman: Yeah, that's the peace of mind, and it's really the expectation. Many years of being in security, there's this boogeyman mentality. Now it doesn't necessarily need to be that, because security transcends just How can we make sure nothing gets in?
It's not about that. The ecosystem of your partners, your supply chain, all these things, they're interwoven. There's way too many ways that are out of your control, that are not even you, but there's people that are attached to you, that things can go wrong. That's where having that resilience plan, having those things in place, will just help you to be able to react to that quicker.
Therefore, like you say, be able to be more forthright, forthcoming with information that may help, others that are not in that position. That's the other thing to remember. It's like there's, community hospitals that are strapped, right? For sure. Yeah, absolutely. And part of being part of this healthcare community is you've got to help each other out.
And I think that's, if you're in a position that you are at a powerful organization that is a leader, it's part of your responsibility in my opinion.
Drex DeFord: Yeah. No, I think that's great. Hey, thanks for being on the show today. I really appreciate it. It's good to see you. I'm glad you're here.
I know.
John Kirkman: It's awesome.
Drex DeFord: And this is
John Kirkman: way cooler than a Zoom thing. I love
Drex DeFord: this.
John Kirkman: Yeah.
Drex DeFord: So maybe we'll just do this from now on. Holly's sitting behind the camera, so we're just telling her maybe just John and I need to actually get together.
John Kirkman: Let's just do it. That sounds good.
Drex DeFord: Yeah. Thanks, man. All right.
Thanks, buddy.
Bill Russell: Thanks for listening to Newstay. There's a lot happening in our industry and while Newstay covers interesting stuff, another way to stay informed is by subscribing to our daily insights email, which delivers Expertly curated health IT news straight to your inbox. Sign up at thisweekealth. com slash news.
Thanks for listening. That's all for now