Terry Ziemniak is an experienced healthcare CISO having served at PeaceHealth, Atrium, and Presence Health. He shares his research on the elements of a successful security program for Health IT.
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Welcome to this Week in Health, it influence where we discuss the influence of technology on health with people who are making it happen. We are the fastest growing podcast in the Health IT space. My name is Bill Russell. We're covering healthcare, c i o, and creator of this week in health. It a set of podcasts and.
Of Health IT leaders. This podcast is brought to you by health lyrics. Have a struggling healthcare project. You need to go. Well, let's talk visit health lyrics.com to schedule your free consultation. If you're enjoying the show and you wanna support our mission to develop the next generation of health leaders, there are five ways that you can do that.
The first is you can share it with the peer. The second, uh, share it on social media. Third thing, you hit our social accounts, LinkedIn, Twitter, YouTube, and share our post. Like them, all the other things that you do on social media. Four things. Send feedback questions and guest recommendations to me. I'd love to, uh, keep expanding the, uh, number of people that we are, uh, associated with and bringing into the community.
And the fifth thing is you could subscribe to our newsletter on the, uh, on the homepage. Uh, speaking of new people, today, we're joined by, uh, Terry, uh, NIAC. Terry, is that right? Well, if you're my polish grandma, she would say , but it's become Americanized and now it's Zimak Zimak. Got it. He's the, uh, president of North Wonders.
Um, he was referred to me by, uh, Starbridge Advisors, uh, do some work with them as well. Uh, you are a, uh, CSO that has done many stints across healthcare, peace, health, Carolina's Healthcare now, atrium, uh, presence Health and others. Um, you know, well, I guess Good morning. Welcome to the show. Good morning, bill.
You know, the CISO is, is probably one of the hottest jobs in it right now. It's really, I, my understanding is it's really hard to find good CISOs. It's really hard to, um, get contract CISOs as well. What, what types of things ha have you been working on over the last year? I. Well, it is interesting. I'm working with a couple partners to help address that problem.
A lot of the smaller and mid-size organizations, healthcare or otherwise, we're really struggling finding that CISO talent, so generally gonna be an expensive person, um, who can help, uh, bridge the conversation between business and technology. There's not a lot of people that, that fit that space well, and, and they're pretty expensive.
So we're seeing more and more need for what we call fractional CISO or virtual ciso. And, um, more and more programs are being developed where you can effectively rent a CISO to build a program. To build your strategy, to build your roadmap, uh, documents, get the buy-in from the organization, and then effectively hand that off to the IT organization.
So, um, I, I think that's actually gonna be a trend going forward is these, um, smaller, midsize organizations have a need for that skillset. Uh, security in those cases are typically handled by an IT manager or perhaps a security director who may or not, may not have that skillset to really interact with, with the business organization, the business side, because the end of the day security's there to protect the business.
And if you don't have that, that interaction and communication, which between business and security, uh, Go off tracks and off track and not get the support that it needs. So, um, these virtual CISOs are, are filling that role to help again, build roadmap and strategies and have the conversations to align the two, and then allow the in-house security and IT staff to execute those roadmaps.
Yeah, fractional CISOs joined the, uh, fractional, uh, chief marketing officers and other fractional, um, services that are out there, which, uh, I, you know, I could see it in this space. Whenever you have, uh, trouble finding really high quality talent and you have a, a significant need, those, uh, those kinds of services come into play.
So, for, for today, we have, uh, you know, we, we try to keep these things for 30 minutes and we have so much to cover. We're gonna cover one topic. For our discussion today, and that's security. And one of the things I always find interesting is that the number of listeners, when I put security in the, uh, in the title of the podcast, the number of listeners is always lower than other topics,
And I think that speaks to, uh, people are, they're struggling with security. They don't want to be reminded of it. Um, but I, everyone recognizes that it's extremely important. So let, let's start. I, I'm gonna start in a little bit of a, Uh, let's put ourselves in a board. I'll play a board member. Put my board member hat on and, and just throw a few questions that, uh, I've received in the past in board meetings.
And, uh, I, yeah, I just was someone with your expertise and experience. I'd love to get your background. So, uh, you know, the first question I, I think you might hear from a board member is, um, you know, they, they really only need to breach you once. They only need to get in once. If they have one credential, they get in, they're on the network, they figure out a way to get to things.
Um, You know, your breach. They got, they have your data, they can get to your data. Uh, how can we not be shooting for a hundred percent in this area? Because most CISOs would say, look, we just need to improve from, you know, 90% to 95 to 98. But that 2% leaves us vulnerable, doesn't it? It, it does. I I think a couple things come outta that, that, that question you, you had there, bill one is a hundred percent really is not achievable.
If, if somebody wants to, has the resources and the time they're gonna get in and, and to shoot for a hundred percent is unrealistic. You're never gonna get there and you're gonna get bank, you're gonna go bankrupt along the way. Um, I read an interesting article from the American Bar Association. They had guidance for, uh, legal organizations.
And to summarize their guidance is go and be pretty secure. Get the 85 90% done, and then ensure the rest. So it is even from a b, a directly, they, they say don't shoot for a hundred percent 'cause you're not gonna get there. Um, companies are breached all the time. So there's a difference between a breach and then data theft.
So, uh, viruses and, and phishing and bad links, bad things are happening in large organizations all the time. It's just kind of unavoidable. And, and that's the idea of defense in depth. You know, maybe they get into a user population or maybe they get into certain accounts or certain areas of your network, but your, your crown jewels, if you've identified 'em correctly, you have extra protections on those crown jewels.
So, Uh, perhaps they may not be able to find the data. If they find the data, perhaps they don't have access to the data. If they have access to the data, perhaps they can't exfiltrate the data. So you wanna put those layers in place, assuming that they're gonna occasionally get through the lower levels of your controls.
Um, hopefully we'll get stuck before they get to the top layer, um, and actually are able to take the crown JUULs. But again, a hundred percent is just not reasonable. Um, with, with, with a, um, realistic budget. Um, yeah, I, I've always said we don't wanna spend a thousand dollars on a million dollar problem, and we don't wanna spend a million dollars on a thousand dollar problem.
And that's where risk management comes from. The idea of risk management. How much do we wanna spend? What are our priorities? 'cause you, you got an unlimited budget and security and probably still never be a hundred percent secure. Yeah. So three other quick questions I think I I often get from board members is how do we know there isn't somebody already in there actual, actual trading data?
Uh, well, it, it, there's that even that, and Itselfs kind of a loaded question when you talk about data, I think a lot of companies even don't have a full inventory of their data. You know, where is your data? Are we talking about Bill's personal smartphone? I. His Gmail. Um, your network, your vendors and your partners, your data's all over the place.
So, um, really, I think a lot of companies struggle with the concept even of where is the data, but the question is, is it being stolen within a certain, uh, network? It's certainly possible. There's, there's tools that, that do a good job detecting that. Um, but as more and more traffic becomes encrypted, you can't necessarily see the traffic.
So then you have to kind of take another . Level of abstraction back. Um, is it coming from a dataset data store that's important to you? Is it going to a known bad IP address? Um, so it gets more and more complicated. It's ever evolving threats which require ever revolving controls to, to address those threats.
Yeah. What's, what's so, why, why are they going after health data? What's the value of health data on the open market? Well, it's interesting, there's an article a couple years ago, um, it just historically the value of, of healthcare data and records have gone up, up, up. And the idea being, uh, as compared to a credit card number, credit card numbers get stolen.
Visa writes off the loss and changes the number. No big deal. Um, it's really hard for Bill or for Terry to change your social security number, and, and that's where the value of the medical data comes because it, it, it doesn't change easily. So once you have it, you can get a lot of value outta that information.
However, uh, there's been such a deluge of healthcare breaches that on the black market, the value of medical records has peaked and it's going back down again Now. I guess that, I guess that's a positive. Um, . Yeah. I mean the, the, the other thing I, I, I hear from board members is, you know, we've seen all these breaches.
What has been the business impact on the organizations that have been breaches? Clearly they get, they have fines, but mm-hmm. , they also have, um, they also have insurance as you have you stated earlier, um, there doesn't seem to have been any major. Blow back in terms of the, the revenue and, and the profit of organizations that have, um, that have experienced large data breaches.
Well, true. I think that's a valid statement, and it comes down to, from your business again, what's the business objective of cybersecurity? Is it to prevent a hundred percent of the breaches? Is it, um, is it a marketing aspect? I, I have a, a, a client I'm working with, and I, I spoke to the c e o, uh, she said specifically, objective one, we need to protect the data objective.
Two is we wanna use security as a marketing tool. Um, perhaps your business objectives. Uh, talk about, uh, the ability to share more data overseas. Um, perhaps you're worried about compliance, so you really need to understand what the business objectives are to build a security program. You can't protect, you can't defend against everything.
Um, you know, insurance is there, it's designed to fill those slots. You know, maybe you only wanna be 95% secure and you wanna ensure the rest. Um, so what's the direct impact? Interesting article I read, bill, um, they talk about healthcare specific, how the cost of marketing goes up. PO post breach, so healthcare organizations that have been breached, how their, their, their marketing budget, the two years following goes up.
So those, there are some direct costs, um, but it's not enough to shut companies down. Recently, O C R, um, made some announcements saying that the actual caps for HIPAA breaches are gonna go decrease. Um, so it is, it is difficult and that, that's why board members and organizations are struggling with the concept of how secure do we have to be.
Um, if they're not seeing a lot of direct. Of revenue to those breaches. Well, let's, uh, okay, so I'll take my board hat off and I, I sort of wanna walk, have you walk us through. So, um, I've seen some of your, uh, slide decks, some of your presentations and I, I'm, I'm gonna walk through 'cause some of it's pretty, uh, I think it's really valuable to our, to our listeners.
So just give us a state of security within health it, what are you finding in the industry today? Sure. So, well, the research you're talking about, I'll give you a little background on that first. Um, working through U N c Charlotte, university of North Carolina, Charlotte, I got tied into a, uh, um, entrepreneurial program for, for some, uh, a company that I'm working on.
And, and, uh, That program included customer discovery. So, hey, entrepreneurs, you may have the best solution in the whole world, but it doesn't meet the business need. No one's gonna buy it. And that, that certainly makes sense. So while I was tasked as part of this program to go talk to a lot of executives about security, and when I was all said and done, I had dozens of interviews with, with, with leaders throughout healthcare and other industries saying, you know, this is our thought on security and this is where we think we're headed.
So it was great information. I tied it together and, and made a presentation based on it. So that's, that's some of the numbers that I'm gonna review with you Bill today. Um, but specifically, what's the state I started off with, Hey, hey, executive, how confident are you in your security controls? Do, do you think you have enough?
Do you not have enough? Uh, the majority felt they were actually good. They, they said their security controls were solid and they had high confidence in their security controls, uh, which was kind of interesting. About a quarter. Then on the other end of the spectrum said they had little to no confidence.
So it is kind, kind of a, a, a, a, a, a big gap there. Um, but there were people on both ends of, of that spectrum. Then I took the next step bill and said, well, great, your security program is either good or poor. Let's break it into the pillars. So security really is not a, a monolith. Security consists generally of people process technology.
I said, okay, if your security program's great or it's poor, what do you feel about technology? And, and pretty much everyone, everyone said specifically, technology's in great shape are technology part of security. Very comfortable. Okay. And I said, great technology process. We on process, about two thirds said, yeah, our processes are very solid.
Uh, the rest also then said that, well, our processes are pretty good. So no one had any big concerns about processes. Then I took the last pillar technology process. Let's talk about people. Almost everybody said people was the biggest risks of their security program. Um, so it's interesting when you take the idea of security as a whole and then break it into pieces, what are the concerns?
Technology is not the concern because technology is easy to sell. You know, the idea of, well, we need a hundred thousand dollars for a firewall, or we need to buy this service. So there's things that are, uh, you can see, you can touch and you can understand. Uh, the people side of cybersecurity is really the gap is, is they don't know how to move the needle in there and they don't really know how to get the value out of.
Um, the thousands of people perhaps working in the organization, and that was kind of a, a gap everyone acknowledged and they really didn't know how to deal with it. Um, but they also did say people had the, um, highest potential for improvement. So technology's in great shape. It can't improve much. We don't wanna put our effort there.
Um, all of them, nearly all of 'em said people's our biggest risk. And they all said people also had the highest opportunity for improvement. So that really, I think is, is gives you some visibility where the CISOs are looking is they, they see the hole in the people's side it and they wanna shore that up.
Yeah. It's um, you know, it's interesting I, I. Mentioned this a couple times, you know, when you have 23,000 people, or 30 or 40 or even 90,000 people in an organization, uh, that are willing to give away their, uh, credentials, with a, uh, with a phishing attack or those kind of things, that becomes your attack vector.
And, and you have to figure out a way to shore it up. I don't necessarily agree that the, uh, process and technology is, is baked within healthcare. And, and, and I would really, um, You know, we're, we're gonna focus in on the people side today. 'cause I think, I agree with you that it's a majority of the, of the challenge in an area that we can improve significantly.
But on the process and technology, I, but we, we spend too much time building walls, not enough time, um, analyzing what's going on, on the wire, doing, uh, a, an audit of our data and, and, and where all that data is an audit of our, uh, Business associates and our partners and what their security practices are, an audit of our cloud partners and their practices.
I think if you really dig into it, you're gonna find a significant, uh, a significant failure grade in terms of security. And I know I'll get in trouble from some people who say, well, that that's not indicative of all healthcare, but I think it's indicative of a lot of healthcare unless you're at scale, unless you have enough money to throw at this.
I mean, and by enough money, I mean. You know, four, five, $6 million a year to throw at this, you probably need to get an outsource provider because you don't have, uh, the expertise and the controls to put in place. Now, with that being said, I wanna go back to people, process technology. It's a, it's a common framework and it's there for a reason.
Because it, it is, it is a good framework to work from. Um, So if we can improve on the people side, let's, let's talk about some of the things we can do on the people side. So, um, how, you know, what are some areas that we can prioritize to, to make our culture better, to make the, the, the people aspect of our security better.
Well, I, I think the big problem that, that, that I definitely heard during the interviews and I've seen in my experience is people are really not using risk management concepts to the awareness program. So every CISO is gonna have some sort of risk register. I'm worried about X, Y, z, I'm worried about clinical engineering devices and shadow IT and cloud and personal devices and down the road.
Um, but that is not being used as input into the awareness program. People touch all of those risks and people can help mitigate those, not necessarily eradicate the risk, um, but it will reduce the risk by having more people aware of what's going on. So I think one of the key things is, Um, expansion of the awareness program.
Pretty much everybody does phishing tests, so we'll send out an email. If you click on it, you get a popup saying, Hey, Terry, don't click on that link. You shouldn't have done that, and here's why. And that's great. It's certainly a value. Um, but not many people are looking beyond phishing, you know, are, are they educating people on?
Um, you know, people may have their own backup responsibilities. Um, encryption the number one breach according to O C R, with, with the, uh, HIPAA wall of shame. Is, um, unintentional disclosure. So emailing things to the wrong people or not encrypting those sorts of simple mistakes. It's just a user awareness factor.
So, um, again, what I'm seeing is that people are very myopic and they're looking at a single topic when it comes to, to awareness. But, you know, , when I was a CISO at the previous organization, very large multi-billion dollar companies. I generally had a security staff around 10 or 12 people for multi-billion dollar organizations, and there's, you know, 10, 20, 30,000 people.
You can't secure 30,000 people with 10 security folks. You need all 30,000 people. In theory, all, all of them. But you need all of 'em. Thinking about cybersecurity, you don't need 'em all to be firewall engineers. You don't need to be pen testers, but you want 'em a little cynical. You want 'em a little mindful.
And and that's really the objective that, that, that I'm hearing. Yeah. We, we almost have to start thinking, um, we have to start thinking in a nefarious way. Like, how, how would people get into this environment? And when I, when I sit across from security experts like yourself, they, they talk about, you know, simple things like, um,
You know, giving people access to your building and, you know, you don't think about that in terms of your security program and, and access to, um, you know, being able to walk by, you know, certain screens that aren't. Um, Uh, aren't, aren't shaded or whatnot. And then you, you also end up with, uh, actual employees who've been compromised and are essentially selling the information, uh, as sort of their, their side job.
I mean, so there's, there's so many different ways that you can, you can be breached. Um, And so how do you build that? That it needs a culture, right? It needs a culture where, as you say, 30,000 people are thinking about security. So, so how do you do that? You have 15, 20 staff. Let's assume we give you 25.
'cause we're feeling very generous. Well, thank you, generous. Um, what are you gonna do? How are you gonna do it? How are you gonna build that security culture? Well, that's interesting 'cause organizations that have been struggling with that concept forever is it, how do you set the right culture and maybe what is the right culture and how do you set the culture?
Um, what I've seen in that works is, is it needs to be, um, a multi-pronged attack, uh, attack. You're not gonna change the culture by going to the board or the C-suite and getting those 10, 20, 30 people on board. 'cause that does no good. They're up in their ivory tower. You're probably also not gonna make significant change if you're only working on the end users.
So if you are. Receptionists or your nurse or your finance or your HR people to think about security, that's great, but if they don't have the support, it's not enough. What you really need is to hit the third tier. You need to hit the middle management as well. So things like manager talking points, um, things like, um, uh, security risk assessments on staff.
You know, Hey, bill clicked on Fat Five bad emails this year. Bill's boss should know about that. Um, if bill's not participating in the annual training, Uh, Bill's boss needs executives. Uh, participating, supporting and tracking these concepts. You have middle management talking about the supporting and reinforcing these concepts, and then you have the end users hearing about these concepts and learning about these concepts at a user appropriate level.
What I call it aunt, aunt and uncle level concepts. Um, the three of those really I, I've seen help change the culture because it, it's, it's hitting all the different areas and it's supporting itself. Yeah, that makes sense. So the, this, uh, past couple of months we've seen, uh, major breaches Quest LabCorp that were initiated through business partners.
Um, how do you involve business partners in a security program? Well, it, it is interesting. So, uh, previous 20 some years of my career, I've been on the corporate side as, as a security lead. Uh, you know, knocking on the third party and the vendor saying, Hey, are you secure? Are you secure? And historically it consisted of, here's a spreadsheet and convince me we're secure.
Um, now that I'm in the consulting space, the ca past couple of years, I'm actually on the receiving side of those spreadsheets or those assessments. And it really is a whole different perspective of, you know, if I'm a data analytics company and I have six different healthcare organizations I work with, I've gotta answer these questions six different times, and they may have different answers for different companies and they may be nuanced and whatnot.
So really as a mess is, is, is how do you shore up that relationship between your partners and, and, and the healthcare organization itself? Um, what is the right answer? I don't know that anyone's figured that out yet. There, there, there's services you can do. Um, I think the answer is something like a high trust sort of certification.
So working with, with my, um, service provider, um, client that I'm working with. They're gonna drive towards high trust. . So then when, when the healthcare organization say, Hey, uh, convince me are secure, they can say, high trusts says we're secure. Um, of course doesn't guarantee security doesn't guarantee you're properly secure or secure enough, but it is a stamp to say at least the bases are, are covered.
And I think something like that is really what needs to happen is, um, you know, these poor vendors and, and partners answering same spreadsheets over. Um, they, they, they just provide so little value and in many cases the, the, the hospital itself doesn't even review the spreadsheet. You know, the, the, the, the instructions we're getting from the healthcare provider says, just make sure none of the answers on the spreadsheet are blank.
As long as there's something in every single cell we'll pass you. And those are the, that's the information that, you know, the kind of low level users actually execute the spreadsheets or hearing back and forth. Um, so I think it, it, what would really help is the idea of a, a third party kind of a assessment to say, yes, they're secure.
Well, that's, you know, uh, Uh, a culture of patient safety, a a culture of security, uh, has similar characteristics. If the IT organization feels like there's so much pressure on innovation, on moving projects forward, on those kind of things, they're, they may shortcut. Certain things, and this is why you have different levels of security and, and different oversight.
But at the end of the day, a, a culture of security has to drive the same, uh, level of priority for the program through, through the entire organization. It can't, uh, you know, it, it can't be at different levels. The organization based on that department's priorities, I guess is what I'm saying. Agreed. And, uh, interesting, um, engagement I had last year is I, I worked with a larger healthcare organization to move, they, they brought me on board specifically to move security outside of it over to legal organization.
Yeah. Um, so they brought me on board with the c i o was on board, which is great. Um, and we got that done. But it was in a whole different perspective of the world when you're outside of it. Um, so as you're building the CISO office and running as the interim ciso, it gave me a level of visibility and I was able to talk high level, um, concepts that really went beyond the ears of the C I O.
So, um, when we established program concepts and policies and standard, it applied to the data, whether it was responsibility to the C I O or perhaps our clinical engineering department. Or our cloud providers, or our partners or our vendors down the road. Um, being outside of it allowed me to, to, to discuss and formulate again, an umbrella of security that covered our data and our devices, regardless of where they sat and who was responsible for 'em.
So, Um, you know, good for that company. They, it, it actually, it was, it was a big win, um, uh, getting that done. Yeah. And I, one of, one of the first things I did as a c I O only because I was, I was interim c i o for about three weeks when we were, we had a breach, and I, I saw the impact of that, uh, on the entire organization.
Every project comes to a halt. You have to do a response. There's just, it's just a huge. Undertaking to respond to a breach. And so one of the first things I did is I took a look at the security practices. I said, well, this, this is not gonna work. So we took this, we took the, we hired a chief security officer who had a digital background as well as a physical background, and brought that together.
And then that person ended up reporting into, uh, uh, compliance and, and they became a peer of mine and oversaw things. Now, I still had a CISO within it, but. CSO was primarily focused on digital and had oversight from the chief security officer, which was, uh, it felt like it was, it was a pretty good model.
Um, But, uh, and, and they work pretty, very closely together. So just for fun, let's, uh, you, you have in one of your slide decks, you have good Bob and bad Bob in terms of a security culture. Um, you know, so contrast the, uh, user within an organization. You have 30,000 employees, 50,000 employees, or even 3000 employees.
Contrast a, a person with the right mindset and a person who's maybe not, not tuned in. Right. So, um, again, the caveat, these aren't my words, these are the surveys. So , so I'll go through these. Uh, part of the exercise was, Hey, executive, let's talk about your users. How would you, how would you describe the goal?
What, what is your good bob? And then what is your bad Bob? And, and it. It's interesting, the things that I heard so bad. Bobs were described as things like not paying attention, um, clicks through anything, um, doesn't get it, things like that. Um, also a lot of 'em mentioned older. It was an age issue and I don't know is old so much that, um, it's strictly, um, the age, the birthday sort of concept.
But, but it does bring to light the idea that you have diff people with different backgrounds, different perspectives, uh, different acumens. So perhaps an 18 year old's idea of security and privacy is gonna be different from someone who's 30 versus someone who's 50. Um, someone who's very comfortable on a, on a, a computer, they have a different concepts of security versus someone who is very uncomfortable with the technology.
Um, so that just speaks to the need that when you work with people, you need to understand their point of view. The, the objective again, is not to make everyone white hat hackers, but you need to make 'em all a little more engaged and a little more involved in the program. Um, so those are the kind of things that I heard when I ask people about Bad Bob on the Good Bob.
Um, it really is, is a couple key things, mindful different ways they described it, but mindfulness. So slowing down, understanding the concept, taking a breath before you click that, that was a common thing. Um, empowered if, if you can get people to, to feel comfortable protecting themselves at home or taking, um, personal responsibility to encrypt files.
So the more people are doing things in a participating in the program, the more empowered they are. So, uh, empowerment's another one. Engaged. So are they thinking or do they feel a sense of accountability, engagement? Big thing. And lastly, what popped up is the idea of literacy. You know, uh, many people in the organization just are not technologists.
And I think as CISOs and CIOs, we, we often forget that a lot of people don't really understand technology. Um, they're not comfortable with technology and maybe they may be afraid, afraid to even talk about it. So basic literacy, um, of the tech technology, of the threats of the risks. So you need to have those sorts of basic concepts, um, to, for people to really participate in a security program.
Yeah. So what are some common, I mean, you talked about metrics a little bit, but what are some common metrics that, um, that a good program will have in place to measure their, their success of their program? Sure. Well, metrics is interesting. Everyone agreed that I spoke to. Metrics are important. I think just intuitively, we all understand the concepts.
The concept of what's measured can be improved. If you don't really know where you're starting from, you're not gonna know if you get any better. Um, common metrics are people that do phishing tests. Measure click rates. Um, some of them, uh, all of them track C B T participation. So your computer-based training, your annual video that you look at, they all track that.
They may track participation in presentations if they give those. Um, the fourth common metric is submitting phishing phish tests or actual phish to the help desk. So, um, the idea that Bill got a bad email and he was cognizant enough to send it to the help desk saying, Hey, this looks suspicious. So those are common metrics.
The problem with metrics is, uh, they don't really apply well to awareness when awareness is just the idea of culture. Right? How do you measure mindfulness? How do you measure engagement? Uh, there's not a good answer to that. Um, but the companies that are more advanced in the awareness space, they do things like focused campaigns.
We want specifically to talk about patient identity theft. Those are focus campaigns that, that, that I've seen run before. When you get to a focus campaign and you have specific objectives of patient identity theft, maybe you wanna measure and you wanna get the understanding of patient identity theft to go up across your department.
Um, maybe you want people to have a better understanding of the, uh, F T C red flags tied to identity theft. And maybe you wanna increase the number of reports of red flags, suspicious sorts of activity from your finance group. So if you have a focus campaign around objectives, Then you can make very specific metrics.
I think that really is the gap on the awareness metrics front is people trying to measure, uh, culture and mindfulness and engagement, which is hard to do. But if you had specific objectives, if you had a specific campaign around, again, identity theft or password misuse or um, smartphone protections, then you can have metrics to support those objectives.
Terry, I have two more questions and I'm gonna do something different on this show. We're gonna, we're gonna close up the show. I'm still gonna ask you the two questions. I'm gonna record 'em, and then we will, we'll put 'em out on social media, but they're not gonna be a part of the, uh, the, the audio podcast.
So if people want to, to tune into those, they'll have to, uh, follow social media, uh, or, or. Subscribe to the, to the, uh, to the free newsletter. You'll get it as well. Um, so, uh, this is a great discussion. I really appreciate you coming on the show. We're at our 30 minute mark, so, uh, is there anything you wanna, wanna leave the listeners with, uh, you know, how they can follow you or, or get in touch with you?
Yeah, absolutely. My, uh, thank you. My, my website is north wonders.com, so feel free to visit me over there. Um, I'm very active on LinkedIn. Um, I, I regularly, uh, post information that really is, is leadership level, contents on cybersecurity. Um, so telling the story of, uh, me, uh, Mandela's, who's the Oreo cookie manufacturer.
They had an interesting story where they were hit with ransomware and then took that cyber claim to their, their cyber insurance provider, which.
Wow. Um, so having those conversations and having leaders hear about, um, specific cyber attacks that directly impact business, a hundred million dollars cyber claim is gonna impact business. Um, but having those leadership level awareness concepts, I, I regularly, uh, post on LinkedIn about that. So, um, that, that'd be a great way to see what I'm.
Fantastic. So follow you on LinkedIn. Um, thanks for coming on. Uh, please come back every Friday for more great interviews with influencers. And don't forget, every Tuesday we take a look at the news, uh, which is impacting Health. It. This shows a production of this week in Health It for more great content, you can check out our website.
I. At this week in health it.com or the YouTube channel at this week in health it.com/video. Thanks for listening. That's all for now.