This Week Health

Don't forget to subscribe!

December 9, 2024: Brad Marsh, EVP of Government Health Technology & Security at First Health Advisory, joins Sarah for the news. How do clinicians evolve from being cybersecurity vulnerabilities to invaluable assets in the fight for patient safety? What role does federal legislation play in bridging rural and urban healthcare security gaps? Can healthcare systems truly prepare for the increasing reality of 30-day downtimes, and how does that impact continuity of care? Brad offers profound insights into these pressing questions while addressing the importance of integrating cybersecurity at every level of healthcare, from clinical workflows to boardroom strategies. 

Key Points:

  • 04:35 Legislation and Workforce Challenges
  • 10:12 Clinical Impact and Incident Response
  • 14:19 Resiliency and Preparedness
  • 28:15 Mergers, Acquisitions, and Cultural Integration

News articles:

This Week Health Subscribe

This Week Health Twitter

This Week Health Linkedin

Alex’s Lemonade Stand: Foundation for Childhood Cancer Donate

Transcript

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[:

Their expert solutions ensure compliance and boost operational efficiency. Visit ThisWeekHealth. com slash First Health Advisory today and elevate your cyber strategy with First Health Advisory.

Today on Newsday.

lthcare, one connection at a [:

Now, let's jump right in.

(Main) Welcome to Newsday. I am joined today by Brad Marsh from First Health Advisory, and we're honored to have him as our guest. Brad is the Executive Vice President of Clinical Innovation and Government Health at First Health Advisory, a leading firm dedicated to enhancing cyber resiliency and securing digital transformation in healthcare.

With over 20 years of distinguished service in the U. S. Army, thank you for your service, Brad, his career uniquely bridges tactical air and missile defense and nursing, providing him with a comprehensive perspective on healthcare and cybersecurity. At First Health Advisory, he leverages his extensive experience to advance secure and efficient healthcare solutions. Prioritizing patient safety is a business imperative. Join us as we delve into Brad's journey and explore the critical intersection of healthcare and cybersecurity. Welcome to the show, Brad.

to have served this country. [:ear end and getting ready for:

Really, everybody was watching the political spectrum and we've had the elections and we'll have an inauguration and a peaceful transfer of power, which is one of our hallmarks as a country in the new year. And we really look. to see that bipartisan work in both houses of Congress to be able to move things forward.

And, Senator Warner and Cassidy, bringing forward the bills they have, that was a tipping point. And as I read through and was seeing it pre holidays I recalled back to the work I did when I was still active duty on the Healthcare Industry Cybersecurity Task Force.

reading the tea leaves back [:precipice of finally getting [:

So there's work to be done, but right now we're starting to head towards the right direction. We should not all be doom and gloom. This is not the end of the world. This is one of the hiccups that we have faced along the way. And it is our peers out there, Sarah that really are doing their best.

We should reinforce them and we should give them all the tools and able to That's possible for them so that they can do their job at that tactical level and then really start to look at our overall industry writ large as in the critical infrastructure sector. It really is. I appreciate that the true bipartisanship that you've shared for the Health Care, Cybersecurity, and Resiliency Act of 24.

It's only a couple of weeks old in terms of it being formally introduced. There are five key pieces that really touch on what it means to strengthen cybersecurity within the health care sector. And specifically, whether that's grants and training or the support for the rural providers.

Enhanced [:So there was a book published:of the sections. And when we [:

a nurse, I'm a retired Army nurse.

Have a deficit of nursing. We have a deficit of cybersecurity. And then you add on healthcare

And all of a sudden we're woefully understaffed. And so by encouraging people to go ahead and go get the training, to understand that we have an ability to train others, to develop others, to really bring together formidable force.

degree from National Defense [:

I want to have cyber clinicians. already done this with some of our team members. But you have clinicians that can start to look at what is the clinical impact of this cybersecurity modification of this intervention and really start to bring the clinicians from being our biggest vulnerability to being our biggest censored biggest asset.

That requires upfront money. Hospitals cannot take a nurse off the floor unless they have funds to be able to cover the overtime for another nurse. They don't have the funds to go ahead and pay somebody to go get their CISP, their CHISL. There are any variety of other certifications that are out there in healthcare.

Again, and I focus on that teaching and the grants, but then when you start to look at the rural providers, it is so

ds of man hours of dedicated [:

They are no less important than the larger organizations. And really being able to support those rural providers to be able to keep delivering care, we keep the national infrastructure protected by doing that. Again it's a web. If great, I've got grants and training, but if there's nobody here in these rural areas, I won't be able to secure the infrastructure sector.

I'll have a big gaping hole. Guess where the enemy is going to go?

[Mic bleed]

going to go to the hole. When you start to look at that overall enhanced coordination and the incident response, we then start to really see how does it all play together. We used to joke about who you're going to call.

o cite, but who you going to [:

And then, of course, as we get into the regulatory updates many times we've gone into hospitals, and they're like, oh, we've got our HIPAA here's our certification there. And nowhere in it does it talk about a DMZ. Nowhere in it does it talk about, your SAML authentication. How are you handling your multi factor?

That's not in there. And we do need a rationalization where this kind of falls a little short, because, and it's supposed to, given government structure here in the United States. The states have rights and the federal government has certain responsibilities. And I think that's one of the things that if you have a hospital system that's in a tri state area that serves multiple states, that hospital has to abide by the state regulations and the federal regulations.

s kind of falls short. We do [:

achievable,

We need to make sure that we are requiring what really needs

When you mention the incident response planning perspective, especially with having cyber almost executives in the clinical arena, it often is a topic of conversation, whether it's one of our city tour dinners or one of our summits that says, who in the hospital is responsible for continuity of operations when there is a cyber attack, and there's this dialogue that often, to your point IT.

ty capabilities inside these [:

. A great point a, not while I was with First Health, but in a previous career, and we'll remain nameless there there was about a 36 hour downtime, and I was working as more of an inpatient nursing information officer, so think of CNIO focused only on the inpatient side, and we were coming out of the 36 hour downtime, I actually had to go to a conference, And my lieutenant was manning the floor and he calls me up and he goes, sir, we have a problem.

hat we had to begin to start [:

Over time, the intelligence level drops drastically. And it's not because there's anything wrong with either of the major providers, that they're great systems, they are very configurable, they have great resiliency, but all electronic health records rely on data entry to keep them current. As the currency gets further and further apart from reality, that therein lies a bigger problem because you'll actually have the electronic health record Recommend things that are not safe.

ntime. The continuity wasn't [:

Great, but did you talk about the clinical impact? And I really think that's where having the cyber clinicians, having the informatics folks, having the folks that have been at the bedside, and really pulling them into the conversation. Where are they in the disaster recovery communication plan? We've seen multiple places that went through ransomware.

And the press went immediately to the clinicians at the bedside. And we were hearing terrible stories of things being crazy because nobody had talked to the clinicians. That right there, that's part of crisis management. We need to make sure we have communications. We need to be able to bring everybody in.

as you said, CIO, CISO, they [:

And the 36 hour down times. Used to be like the extreme, we do a system upgrade or we would do some kind of a change and it would be overnight for eight hours and everyone's going to hang out and wait for it to be over and catch up. 36 hours, bigger extreme. Now there's this expectation that you can be prepared for 30 days.

oday we're seeing an article [:

When we see these things happening, the intent is there, the extremes are out there as well. And what you do in serving the community and bringing things forward, where do you see those pieces actually coming together in a way that makes the clinician, the CISO, the patient, feel safer at the hospital where they receive care?

nal level because healthcare [:

of the age of Medicare. And so she's talking about, Oh, I had required to get all this stuff. But when there's a divorce between reimbursement and care, we have gaps and we have misunderstandings that if the patients don't understand it, we have a problem. So somebody is not explaining it.

The person in the middle is the clinician. If the clinician doesn't understand it, we have a problem. Take that analogy and put it into cybersecurity. CISA is great. I've known a deputy leader of CISA, I'm very enthralled with what they've done, their toolboxes, great work, fantastic. If you flip a switch on one of my devices, You could end life sustaining treatment.

nected to patients. They are [:

That's why the ISACs were created. Then we had ISALs pop up, and then we had. In order to be able to share, you need to be able to speak the same language or translate to the same language. You need that Rosetta Stone. Unfortunately, The NIST CSF, which is a great Rosetta Stone, I've taken all of the different scales and tools out there and crosswalked it to the NIST CSF.

one, because there are other [:

There are non profit hospitals, yes. There are critical access hospitals, yes. I'm not bad mouthing anybody here, but I think the most important thing to understand is they will lose, a hospital system can lose commercial clients, patients. If they disclose too early, if they disclose too much they could be opening themselves up.

ave seen an improvement since:eople yanking things offline [:

That has been an improvement. Now what we need to be able to do is we need to take it to the next level. And all due transparency, the GAO will bring in subject matter experts like myself and put us into situations and say what would you do? That evaluation is very controlled and we don't always have all the pictures.

e going to have to buy a new [:

Those kinds of things Funds have to move hands. And right now there's not a lot of burning to cite Kotter but there has to be a financial incentive to move forward. And with there being the financial constraints that most of our organizations see, like I literally put as a mantra for 25 to create margin, to like work with our health system leaders to help them figure out ways to increase margin and still be protected enough.

If you are a CISO and a CIO, you're combined in this effort together. And let's just say we are partnered with you as an advisor to help us be safer. If we have the NIST cybersecurity framework in place, if we've evaluated the tools that are available to us from a government perspective, if we've And we're making sure that we're utilizing the right policies, the right involvement, etc.

e's always going to be a gap [:

How does that narrative play out in understanding that there's always going to be a gap and what is considered So it's interesting, and this is what I like about being a clinician who is well versed in cybersecurity is, I go to the body. If I give you all your vaccinations and I make sure that you're in relatively good shape and, you're living, eating a healthy diet and everything else, I can roll the dice and say, you have, good odds to be, have long life.

e Internet of Things and all [:

Patient, as a living, breathing patient, they will be subjected to random changes, random acts of violence. There's things you can prepare for, but you cannot anticipate everything. What can you

How can you re instill that? So first and foremost, you talk about creating margin.

And I think one of the biggest things that I've seen us do at First Health is when we go in, I've received when I was in the government, vendors coming up all the time saying, I've got this new tool, it's going to help you solve all the world's ails, and by the way, we'll probably solve cancer while we're at it.

And I'm like okay, talk about this. I've watched our team go in and we say, okay, stop. I know you want to acquire this new flashy. You have something that will do the same thing. Let us first rationalize what you've got. Let's get everything operating the way it's supposed to. Let's look for those not needed redundancies.

because when we saw with the [:

What you can do is operationalize what you've got. And then who else is using

If you've got passive listening device to identify your internet of things. and medical things, then who else can be using that data? Can the clinicians use some of the data out of there? Can the IT staff? Can the IS staff? Let's find out how we can maximize what you've already paid for. That's number one.

Then as we start to move into more of briefing the board and preparing everybody, we need to really look at What is your resiliency plan? I've got daughters one of them was like, Oh, I might get sick. I said, Okay, so what happens if you get sick? Walk me through all the steps.

ause they have to go through [:

But, as they sit in and talk to me, and they work through, and they go through the worst case scenario, and then we say, okay, we've done all the preventative. Now, let us prepare for the eventuality that something might occur, and you build plans that are resilient. The visualization I like to give is you can fail like the miracle on the Hudson, or you can fail like the Hindenburg.

The miracle in the Hudson was a failure. The aircraft failed. The pilots were able to land it in one of the most challenging methodologies, and not a life was taken. lost. That's because the pilot was resilient, the plan was resilient, and we were able to implement it and really adapt at the time. So now you look at the Hindenburg, obviously, didn't go so well, went up like a top, and many lives were lost.

rt of our conversation? What [:

It's called the field manual 7 8. It's not called that anymore, but back when old guys like me were in, It was the infantry tactical manual. Why would you train an air defender, a nurse, on infantry tactics? It's building blocks. It is basic construct. If you can do the basics, if you have a baseline, everybody has a shared vision of what that baseline is.

Now we can go and be resilient. We can mix and match parts of it to be able to continue to work. Take that into healthcare. Where is your downtime plan? Who wrote it? Who signed it? Who read it? Who do you have at your tabletops? That's one of my first things is. Show me your invite list to your tabletops.

ve, first of all, the biomed [:

And now what are you going to do? And they've got a monitor sitting beside the patient and it's beeping away and they're looking at it and they're doing all this other stuff. My first question is, what makes you think that's working? Yes, this could be a ransomware attack, but what's saying that's not working?

you are using that to make a clinical decision, you better know it's right. And when was the last time anybody checked the blood pressure cuffs? Next time you're in the clinic, look around the room, ask your nurse, ask your med tech, where's the manual blood pressure cuff? And if they don't know the answer, that's a problem, because they need to understand the baseline.

on't need special stuff. You [:

How many of them actually carry a watch

these are all things that really go to the clinician's side of knowing the baseline. Because if the leadership has to focus during the downtime on making sure all of the clinicians can keep doing their work, they're not focusing on the reason that the downtime occurred and mitigating

It's full circle. The more that we invest on a unilateral methodology between all of us, and we all understand why we are doing the things we are doing in the downtime prep, in the tabletop exercises, those elements have to be understood at all levels. So that we can allow folks to be focusing on the events that they need to focus on.

. And to your point, which I [:

are happening at a rapid pace, more so than they ever have before. And that also includes the divestiture component, which I wish got more attention as well, because you might be the one acquiring, but somebody else is divesting that. And they can improve efficiencies from an operational perspective, but major cybersecurity challenges that require careful management.

This was most recently shared by Greg Sieg, who's the CISO at University of Michigan Regional Health Network. And yet something we talk about often in our dinners and our summits and with partners like yourself, because. What is the due diligence required when you bring on a new organization? And how long should that walled garden be up?

that quarantine space? What [:s, there's federal ones, but [:

So there, has to be open lines of communications, not just at the C suite level. It has to be all the way down to the clinical level. A lot of times I've seen that, hospital systems, they just, wire in and bolt everything together from, the acquired hospital and the parent hospital.

That's not really an enterprise approach. You no longer have a baseline. You no longer have a standard. And now, how can you make sure that If something were to happen, are you Hudson or are you Hindenburg? This again pulls in. If you don't then go down and make sure that everybody is rowing in the same direction, you could be creating churn.

's all coming together. That [:

assessments, I love assessments, okay, because we need to be able to see first. And this is a terminology that I stole ubiquitously from the 1st Brigade 25th Infantry when I was in Iraq. When we were dealing with the enemy, it was see first, understand first, and act decisively. And , that three steps has stayed with me for quite a long time.

A cybersecurity assessment helps you see first, that just lists it out. Understand first, you need people that operate in the environment. You need people to then say, hey, here's the potential risk. Here's your clinical impact. You will hear that from me religiously. What is the clinical impact of these mitigations that you would need to put in place?

ing to bolt together what is [:

If An entity in your organization, whether it is newly acquired or been with you for years, does things in a way that does not work to your mission, vision, your organizational perspective, that's a risk. And you need to accept, transfer, or mitigate that risk. And that's where working with those organizations, you have to be able to really work a pragmatic integration approach.

You have to look at how you can determine which needs to be brought in, which, hey, I understand this is how you've always done it, I understand, we need to change this for this reason, so that this can continue. You can't just give the, you'll change this and walk away. you need to work with the people to get to the hearts and minds.

I have a old captain [:

So it's an important way to open lines of communication to say, Hey, look, I'm gonna need you to change this, and here's why. If nurses, doctors, techs, and front desk staff understand the why, of what's going on, they can better embody it. And they can take that building block and say, okay, I need to change this for this reason.

as been a labor of love since:my, Air Force, and Navy come [:

And one of the things that we learned is that there was differences in each of those organizations. And we had to account for those and mitigate them and work together and find the best out of all of the organizations to improve. The overall organization. And I think really when you work on that cultural level and you really get down to the brass tacks, General Ronald Place and his brother General Michael Place, both worked hard to really influence the culture of the MHS and the Defense Health Agency.

ore that you're talking with [:

We are in a collaborative health record day, where everybody has to contribute to keep the patient safe. And what an amazing perspective that you've shared across the continuum. Everybody's responsibility for

[Keeping the Patient Safe]

safe, whether that is following legislation that's occurring from a bipartisan perspective to where the clinician fits in the whole resiliency aspect, to the front desk registration clerk who's making sure that thoughtfully get into the hospital or the clinic in the first place.

ially going into a new year, [:

Because new administration, because new regulations, because new opportunities coming forward, there's really no better time to be a part of cybersecurity and also a harrowing time as leaders realizing that you're always a step away from something happening. It's do you feel comfortable enough with the protections you have in place to realize that yes, I can and want to receive my care here and I know that my nurse knows where the manual.

Blood pressure cuff is in the room. I'm actually going to go look for it next time I do my checkup. I'm going to say, Hey, where is it? How do you handle this? I usually ask them annoying questions anyway. But really understand their resilience and going forward is going to be key. So thank you for bringing all of those perspectives forward today.

and dear to my heart. all of [:

All of us have a part to play in this. Every United States citizen, every citizen of the world that has a healthcare system, you are participating. You can choose how you want to be that participant. Active or passive. And I've chosen to be active. And anything you do in your hospital systems or as a patient, you should be practicing at home as well when it comes to cyber preparedness and cyber

[Mic bleed]

Absolutely. We love having First Health Advisory as a partner. Thank you for your insights and time today. And for all of you listening to Newsday, we appreciate you listening as well. That's all for now.

Thanks for listening to Newstay. There's a lot happening in our industry and while Newstay covers interesting stuff, another way to stay informed is by subscribing to our daily insights email, which delivers Expertly curated health IT news straight to your inbox. Sign up at thisweekealth. com slash news.

[:

Contributors

Thank You to Our Show Sponsors

Our Shows

Related Content

Healthcare Transformation Powered by Community

© Copyright 2024 Health Lyrics All rights reserved