This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Today on This Week Health.

What is healthcare doing around cybersecurity? What are the risks that need to be addressed? And how do we begin to move healthcare as an industry forward

Thanks for joining us on This Week Health Keynote. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health, a channel dedicated to keeping health IT staff current and engaged. Special thanks to our Keynote show sponsors Sirius Healthcare, VMware, Transcarent, Press Ganey, Semperis and Veritas for choosing to invest in our mission to develop the next generation of health leaders.

All right. So on June 2nd, 2017, there was a letter sent to Congress to the honorables. Let's see, Lamar Alexander, Ron Johnson, Richard Burr, Greg Walden Michael McCall and Devin Nunez. Who wherein Congress at that time, June 2nd, 2017, it said on behalf of the health care industry, cybersecurity task force, we are pleased to submit to you this report on improving the health care industry, cybersecurity posture of the cybersecurity act of 2015, provided a much needed opportunity to convene public and private sector subject matter experts to spend the last year discussing and developing recommendations on the growing challenge of cyber attacks.

Targeting healthcare 21 taskforce members contributed to this effort, including 17 from the private sector, as well as public and private sector. Co-chairs of the task force. We worked diligently to balance industry and government perspectives to solicit input from outside stakeholders and the general public.

couple more lines here on the task force. Discussions resulted in a development of six imperatives, along with cascading recommendations and action items. All of these reflect the need for a unified effort among public and private sector organizations of all sizes and across all sub sectors. It goes on and it ends with, we invite you to join us as we continue to advance this very important mission.

We thank you for your support of the task force and look forward to the opportunity to brief you on our findings. So here we are on the five-year anniversary of this letter, and we are going to take a look back and hopefully look forward with three of the members of the original task force to discuss that work.

And so today we have Bradford Marsh, who's now EVP government health, security, and technology with first health advisor. Theresa Meadows, CIO cook children's and David Ting, chief technology officer and founder of Tausight. And at least two of you are in completely different roles than when you were on the task force.

So a lot's changed over the last five years. I want to thank you all for joining the podcast. Welcome.

Thank you bill.

Thank, thank you.

So a lot has changed over the last five years, but let's, let's start with where we started. So Theresa, you were co-chair of the task force. Give us an idea of the group the group makeup and how it came together and the work of the task force itself.

Sure. Yeah. Thanks. This is super exciting. I'm glad to be back. I honestly, When we left, when we finished our task force work, I kind of thought this may be the end, but it actually was really just the beginning. So I appreciate the opportunity, but just a little history lesson. So that the task force was a a regulated task force from the cybersecurity act of 2015.

And so that particular act was put into law to really look at what is healthcare doing around cybersecurity? What are the risks that need to be addressed? And how do we begin to move? Healthcare as an industry forward improving that posture because it was clear that was the really the early beginnings of some of the very different cyber security landscape we have today.

So just early beginnings of ransomware, early beginnings of malware. Really being prevalent in healthcare. And so we had the opportunity to bring people together, not only governmental partners, but people across the industry. And so the way it came about was they sent out a call for action, for people to volunteer, to be part of the task force.

And so 200 names or submitted for people to participate. And they narrow down that group from 200 to 2021 by your account. And it really was across. Phases of industry. So hospital based people health plans pharmaceutical companies, biomedical device engineers, software engineering companies, EHR companies and that's they took a cross section of all those companies and formed the task force.

I had the privilege of being the co-chair I think only by default. So I missed the first meeting because I was on a cruise. First of all didn't know I was on the task force. So I get off the cruise boat and they're like, congratulations, Theresa, you were selected as one of the, the 20 people. And oh, by the way, we had a meeting while you were gone and we elected you co-chair

so, so David and Brad, did you nominate an electric co-chair? Is that how.

Yes with friends like us, you don't need enemies.

Standard line is everybody who wants to volunteer step forward. Yeah.

So at that point, I didn't think I really had an option, but to lead the task force. And what we were told was we basically had a year to get a cohesive. Make recommendations and produce a report.

And I'm thankful to say we were able to do that. My role is really to try to herd the cats as much as possible and to keep us on track and to make sure that we're producing good recommendations. And so what the outcome of that was many, many meetings many iterations. There were lots of very passionate people who felt their issues were important.

And so as trying to really define what do we think the most important imperatives are? And I think bill, our goal was we had to produce some recommendations. We had to produce a current state of what we thought the healthcare cyber landscape look like. And not only did we have to produce the recommendations, but we also had to produce well, what would be some intended action plans that someone post report could take forward and maybe begin to implement those changes. So when you look at the report is really designed that way. The current state of healthcare, the imperatives that we felt were important and then how to, what are some recommended action plans. And if you read the there's an executive summary, but you can read all of the action plans in the rapport. That was the process.

a fairly hefty report, as you would expect after meeting for the better part of a year, about 96 pages. Now I would imagine that was called down from what could have been a much, much larger report. How did you. They bring you together. You have to do that whole storming norming, forming kind of thing.

But once you get there, how do you determine what direction you're going to go? How are you going to build out the the report? Like what was top of mind at that point in the cybersecurity?

I mean, honestly, we felt like we were, at the very beginning, we met with a lot of under other industries to kind of understand how they got to the point.

So we met with the financial industry, the gas industry, and they kind of talked about their formation of their cyber security plans. And what we realized was. We don't have any of that structure. So that's where we started with. Okay. We first need to define organizations, need some active governance. So that was like one of the first imperatives.

We've got to figure out leadership structures, governance structures, and begin to set expectations across the industry as a whole. And so you'll see recommendations there. And then we just started breaking down. What are our core is. We know we have issues with medical devices. We know we have issues with legacy technology.

We know that we don't have a good way to share information. And so we kind of brainstormed all the things that we didn't have and then we kind of ranked, okay, these are the most important things we think we got to address first, so we can even get, cause we were really in the infancy immaturity stage.

And how do we. Get to a mature industry like finance, finance is very mature from their cyber practices. But we're not there yet. So what are some of the building blocks? And that's what we worked on. And you'll see in the imperatives, they're all building block type activities because those things did not don't exist holistically in the healthcare industry.

So I, I think this is a point that we should really call out. One of the reasons why Theresa was nominated in absentia. She's a nurse, all these other infrastructure sectors they're critical. They can impact people's lives. They can impact health. Ours directly does. Every day we are touching patients.

Theresa and I are both nurses now. I was not actually a sitting member of the task force. I directly supported Dr. Warren Thompson in, from the federal EHR, actually at the time, it was the program executive office defense health care management systems, interagency program, office, DOD VA. I directly supported her, but we were the only two bedside clinicians in the start.

Now it did evolve over time. We had new members to come. And they had clinical background, but it was seeing how we can be alike and how we are different from those other critical infrastructure sectors, which is why it was so vitally important that Theresa set as that co-chair so bratty because it gives a different perspective.

Yeah. So Brad, was cybersecurity actually impacting the delivery of care at that point. Where we worry or just, we were sort of projecting and saying, no, it can. If cybersecurity escalates, if these attacks escalate, it can actually impact the delivery of care and actually cause harm.

We were seeing it more and more after meaningful use was signed in and we, we got more and more EHR. That's great. We were, it's made more affordable to more agencies. Great. You have this ability. Now we can stop manual data entry that saves patients. And we had barcode medication administration that had saves patients.

But when we have those things, you start to connect more, to reduce other risk. When you have a clinician mindset, it's patient safety. When you have a cyber security perspective, it's cybersecurity safety. What Teresa being in the position she's in, she is the one person. That at that time could say cybersecurity is patient safety.

And so we were seeing the writing on the wall back in an allegory. When you look at the world wars, if there was a red cross on a building, it was avoided from shelling. For the most part, we're going to speak in generalities that red cross used to protect you as warfare has evolved over time. That then became a target.

We were the soft target. We thought nobody would attack us because we are doing good. We are taking care of people. We are not political. We are not in any way, shape or form attacking another country with a hospital. But when we were seen as the soft underbelly of the United States in our critical infrastructure sector, That's where it began to be stabilized. And so we saw the over the horizon,

the one thing I'm going to add to what Brad said, I think what we were the federal, our federal partners, we're seeing more of that type of activity than we were. So we were more still stuck in how do we protect Phi and how do we not have a breach? And so really cyber security today in some instances is not really about the Phi.

It's really about. How do I prevent somebody from doing the job that they need to do for money? And so it's become a, more of a different spin on it. And we were kind of caught in the cross hairs because we're only worried about HIPAA, but this issue. Is a bigger issue than just protecting Phi.

And so I think our federal partners like Brad and others kind of educated us about, okay, we're these are the things that we see, but we don't share this information publicly. So there's not a way for you to know all the things going on. And this was the first time we kind of had insight behind the curtain about.

Healthcare is a target. We just, we just don't know it cause we're not engaged at the level that we should be in these topics. And so I think that's one of the main things I took away is we have to be more engaged and more sharing their,

📍 📍 All right. We'll get back to our show in just a minute. I want to tell you about the podcasts that I am the most excited about right now that I am listening to, as often as I possibly can under that is the town hall show that we launched on the community channel this week health community, and an Arizona Tuesdays and Thursdays. What I've done is I have essentially recruited these great. Hosts who are coming in and they're tapping people in their networks and having conversations with them about the things that are frontline kind of stuff. So it's, it's technical, deep dives, it's hot button issues. It's tactical challenges. it's all the stuff that is happening right there. Where you live on a daily basis. We have some braid hosts on this show. We have Charles Boise. Who's a, data scientist, Craig Richard, bill Lee, Milligan Reed, Stephan, who are all CEOs. We have Jake Lancaster Brett Oliver, who are CMIOs. We have mark Weisman who is a former CMIO and host of the CML podcast. And now a CIO. At title health and we also have the incomparable sushi shade who is fantastic. And I'm really excited about the fact that she's tapping into her network and having some great conversations as well. I'd love for you to tune into these episodes. I am learning a ton myself. You can subscribe on our community channel this week health community. You can do that on iTunes, on Spotify. On Google on Stitcher, you name it, we're out there and you can subscribe there and start having a listen to yourself. All right, let's get back to our show. 📍 📍

David has a chief technology officer. What was your role on the, task force?

So my role was we safeguarded the authentication for all the clinical systems. I think we had several major IDN in the room. It turns out we the company I was with before we secure, we were the authentication for all of them. And so as the de facto front door to safeguarding access to EMR, It is proving the identity of the users, the clinicians getting in, and that they actually follow the security rules and making sure that at least at that level, the identity of the proper users would be invalidated in a convenient manner. That is at least at the first level of security that you would want in defending the system.

we hear that finance is sophisticated. What did you learn about finance that you said. Well, gosh, it the technology? Is it the frameworks? Is it the connection between really understanding the, the government is how the organizations work well together. I mean, what, what was it that made finance sophisticated? We hear that in healthcare all the time. They're sophisticated, but what makes them sophisticated?

Quick anecdote on that. We were briefed by the head of one of the major banks. This head of security comes on and she said, I'm really fortunate. I have 500 cyber security analysts. To analyze every incident and the four largest IBNs basically says, I bet you, none of us have more than five on our staff.

That's the racial, that's the disparity. And then the comment was we can't hire and keep cybersecurity professionals because when we train them, Financial higher than my way. We cannot keep up in that shortage of staffing, the shortage of expertise, the attractiveness of the financial and other regulated industries that can just grab them.

We'll always make healthcare, be kind of the cobbler's children and not have enough staffing to keep them up. Up-to-date

so is it just budgets and staffing?

I think that's one dimension. I think it's the other one is like Theresa brought up it's the maturity they've been dealing with this for a longer time. Digital transformation has occurred in finance way back into the seventies or fifties even earlier, but in healthcare it's only happened within the past 15 years. So. Jokes. I always tell people. I said it used to be safer for records to be kept in the records department because to steal a thousand records, you have to walk out with 250 pounds of material in 2016 or 2015, 120 million records are stolen. At four ounces per patient jacket. that's millions of pounds of paper. You would have to transport to steal it. And yet we could steal it in an instant. Now that we're electronic is just as easy for somebody to compromise that system with a single click. And several of the people I know in the UK, a coincidence was the fact that when, by the time we came out to publish the report the.

Attack occurred simultaneously several of the CIO is I knew said we had no idea what was going on. Screens returning red across our system, help desk sort of lady got, finally, somebody said we're being attacked and we use the overhead page or to calorie one, unplug your computers from the wall. I mean, this is the reality of what was going on at the time we published three. It's a different world.

I think the other thing we learned is in finance, regardless of your size, if I'm a small mom and pop bank, I am required to have the same standards as a chase bank or a one large bank and today, a small mom and pop doctor's office. Is not required to have the same standards as a large health system or an IDN.

And so having some of that, those standard nomenclatures, which was really what the other part of the cyber security act was the 4 0 5 D work. That was really what that work was intended to do was to build those standards and some of that nomenclature, so that small, medium, large are all operating under the same mechanisms and having the same type of support that you would have if you're bigger LAR and that's the difference between finance and healthcare, we're all independent entities.

And we have, while states do impact the financial sector, it is to a lesser extent than it is in healthcare. We've got sharing laws for patient information that Texas, Oklahoma there's.

But, oh, we can't share because X, Y, and Z, it's an opt-in, it's an opt-out, there are so many different elements that go into this that are different requirements. One of the biggest things that we did was I remember a whole week where we just went through law and we saw how there were conflicting requirements, even from a federal government that we were required to do a, B and C.

And then we were prohibited from doing C, D and E. But wait a minute, we've got a conflict. How do we rectify that? And really, again, it goes back to in the financial district. Yes. They have an impact on people's lives. But if I give you an extra quarter, That's not going to kill you. If I give you an extra dose of insulin, I could potentially kill you.

And that is where that gravitas does come in. The thing I took away was that information sharing, I was totally taken aback and thrawled with the Phi SAC, seeing how they shared the information that as soon as there was an indicator of compromise it bank a across the UK. Other banks immediately began to action on that to make sure that they weren't being compromised.

what does that look like? is that like something that all banks subscribed to, or is that just an internet channel? That boom, it goes out. I mean, it sounds like it's pretty.

Well, the ice ax established years ago, information sharing and analysis centers. Now the terminology has changed on the federal side from end kick and everything else.

But it used to all feed into a cybersecurity analysis center they could share across ISAACs. And so it's, yes, it is a subscription. The health sector, we have one and as a matter of. One of the members of the task force became the leader of the late stage ISAC, I believe after we submitted the report and we saw the value of it But really investing in it.

The HII sec is doing the hard work of trying to connect us all. As soon as you see an indicator of compromise, it's one thing. If you've got a David ting looking at a screen that pops up and you say, Hey, we've got indicator compromise, Brad, we've got to, we've got this. Watch out. There's another thing when there's hundreds and thousands of these messages being sent, we've got those five people at the hospital, not the 500 that can then flag it as a true event or a fake positive.

So being able to subscribe to the HII SAC is one thing, but being able to use actionable data as another having managed services, having that capability, that somebody that. As a college professor. One of those things that I do on the side is, tell my students, don't just tell me something. Tell me so what, and that's what we're missing.

We're missing the, so what some of these mom and pops the financial sector doesn't have critical access banks. We have critical access hospitals. They have no money. They have in order to pay for people to be there. The federal government is giving as much money as they can. The states are doing what they can, but it's barely enough to hold onto the providers. There's not the money there to support a CSO to sit on the ground with a cyber team in rural Montana.

some of the recommendations. You'll say bill, you may remember with the safe harbors around providing EHR services to smaller entities, that was one of the things that we really pushed for was give us some safe Harbor so we can provide.

Curity services to the small entities that we work with and allow us to be not breaking the law around referrals and other things so that if I'm going to provide them, the EHR also let me provide them their security software, maybe a managed service because if we can start. Spread some of that, the way we did with the HRS, then the mom and pop can have some of the same things that we have.

And that was one of the recommendations in the taskforce report. That was really important because there's no way people are going to have the resources that maybe I have

and you can very easily violate, I think it was the star clause.

Right. Okay. Yes. And so we talked about how do we. And actually we were able to start getting some provisions and stark that actually happened where now we can provide security services under stark and not be in violation. So many things have changed over, but it's again picking one thing at a time and really going after it. And so that's kind of what we chose.

Chose to do as we went through the recommendation piece where are we today? But that's one of the outcomes is now with stark. We can provide some of that security to others, if they would like it in the.

I think that change makes a huge difference, because like you say, not everybody. In fact, the majority of the smaller practice or smaller hospitals, and then when let's not even talk about the distributed nature of healthcare will be smaller, independent practices that have zero and the whole. And now that we're working from home, the whole distributed nature where everything. Is used to treat patients and deliver care. We've expanded that surface area incredibly over the past five years

in the 21st century cures act. As they implemented in April, you have to connect. If the patient wants you to, you have to get. Josh Corman used to go around in our meetings and the quote that I don't remember where he stole it, but I'm going to steal it from him. It's if you can't afford to protect it, you can't afford to connect it. And there were exceptions built into that. But it is very explicit.

If you cannot connect to an API because of security reasons, you have to spell it out, this API, this security reason, and this is the get well plan. That takes a lot. And our cybersecurity professionals that we do have are busy trying to protect our perimeters. We're trying to secure at our walls. And as David said with our distributed nature, now I'm trying to protect over it. My people's houses.

that whole perimeter model, as we all know, is basically gone. We have to basically secure right up to the edge of care delivery.

there is no perimeter anymore, you have your business associates yet hospital at home. You have it. There there's no perimeter

Jericho project where the walls came down the perimeters. This infrastructure, that's basically what we have in healthcare. Your firewall is not the edge of where you can protect anymore.

All right. So I want to, I want to hit the imperatives and you started to hit on the imperatives, but I, I want you to walk us through each one.

I'm just going to read them out and then I'd love to get one of you to sort of comment on it. And then if the others want to chime in, that would be great. So the first one was. Define and streamline leadership, governance and expectations for health care industry cybersecurity. What is that about?

That was really trying to. First of all educate senior leadership and organizations that health, healthcare security is a priority. And so we put very structured recommendations around how to build a governance structure who should be involved in your discussions around cyber security. How do we get more interaction between the CEOs of our organizations and our federal counterparts and began putting.

If we don't have good leadership at each of the organizations who understand it, how do we expect the average nurse or doctor to understand it? And so really it was around education. Defining what good posture is. What is NIST? How do you use the dis framework? How do you incorporate some of those governance techniques into your daily activities?

And then how do you begin to use the four or five D work that's happened around best practice? Even though they hate when people say that, but good, good hygiene to really begin to change and move the needle. And there's still a lot of work that needs to happen there. I mean, we're still out of sight, out of mind, it's all I always say to people, yes, there was a cyber security incident, but it's kinda like having a baby, having a baby's really painful. But people forget and then they have more babies. Right. So it's kinda the same thing, okay. Scripts at a big event that was real painful for us. Like people who weren't at scripts.

But then we've kind of moved on and we've forgotten about it. Right? And so it's keeping that, that, that pain in and top of mind in your organizations and putting plans together and risk risk.

Now you went exactly where I was going to go, which was we had one, a cry going on at the time of this report. And it was, I was still hearing from CISOs and others, that it was still hard to get the attention of anyone. Cause it just was. It just, it wasn't close enough to home, but what I've heard since the script's event, It has gotten to the board level. It has gotten to the executive team level. We have CISOs now addressing the board on an ongoing basis.

What are we doing? How are we doing it? So it feels to me like maybe the task force can take credit, but that event more than anything might be the turning point for, oh, this cost scripts, $110 million. And that doesn't even count reputation and other things. that seems to have gotten the attention. It would you agree with that?

I agree with that 100%, that's a gift that keeps on giving that particular incident. And so I've used that. With our boards are more than once. And we have the cybersecurity insurance insurers are also using that event and using that to force people into making better decisions or doing things that they traditionally haven't done.

So I definitely think that was just, I think in our mind as a prediction, like we predicted there was going to be an event that. Eventually get people motivated to do something. And that's unfortunately for scripts that they had to be the

poster child.

But I think your point is really well taken that the cybersecurity industry, the cyber insurance industry has really now taken a step forward to say our premium.

They're going to keep going up, unless you can prove that you're doing a better job around securing your infrastructure, securing all the things that are needed to have. No cover all the CIA, the confidentiality, the integrity, and the availability and follow us standardized framework, or your rates will keep going up. that's the side effect of the scripts incident.

And then I think in that an action item 1.1, one through 1.16 we really wanted to have that cybersecurity leader. That could bring together HHS, public, private, and really lead that charge. When we continually, as we should have the secure and peaceful transfer of power from leader to leader over each year, each four year period.

We also see policies change. And the one thing that any tactician will tell you is you, the chink in the armor is at the transition of authority. It's when people are trying to get spun up into their jobs, that's where somebody is most vulnerable. And so. What we were trying to petition for is we need somebody that isn't tied to, that we need somebody that can, that can stay the course.

And when the leadership changes out, they may rotate out afterwards, but much like you see with the secretary of defense. They tend to span the gaps because that's what's needed. We needed somebody to bring us together. We had a great group of people and we had conversations not often had in public. We had people talking about intellectual property.

We had people talking about patient safety and people talking about cybersecurity and they were all in the same room and they were saying the same thing. So. If we have that in a leadership position and that's highest leadership positions in that pretty white house down on Pennsylvania, that would be good because then we have a common voice and a direct path to those that can make a difference.

I love this. I'm trying to figure out if the second one is the elephant in the room or the emperor has no clothes. I'm not sure which, but increase the security and resilience of medical devices. and health it at that time we were dealing with you can go into any system and 15% of their systems weren't patched just basic kind of stuff.

Medical devices was the wild west. I mean, just completely the wild west. And part of that was an FDA problem. And, but part of that was. It didn't report. I was the CIO. It didn't report to me. And that the people who had, did report to had no concept of cyber security, nor did they, nor did they care. I mean, had.

I don't know who wants to talk about this one? I mean what were you thinking and what were you doing?

Yeah, I'll start it. And then certainly chatting at this, this particular one was probably where we had our most heated discussions specifically between the FDA and industry, because they did not feel they had the authority to regulate medical devices.

They felt they had the authority to offer guidance. And because I give you guidance, you should follow it. And so the message we were trying to say to them is you may say we were giving you guidance, that you should allow people to patch your devices, but, but on the industry side, what happens is a manufacturer sees that as guidance and that's optional.

It's not a must do. And so there was lots of discussion about how do we make the guidance. More regulatory because there were so much variation. And I think by the end, we're starting to get, we're starting to get there and we're seeing a lot of improvements there, but this is probably still our biggest weakness because we don't have good regulations around creation of devices, maintenance of devices. And we don't have a good regulatory body who drives some of that.

Yeah. And a lot of times we can identify all the devices. Now we've since segmented them off the network, we've created feelings and those kinds of things. But has this ever happened to you? I had a device manufacturer come to me.

If you, if you upgrade that device, if you upgrade the last on that device, you will, it will no longer be FDA approved and you cannot use it to pry in the delivery of medicine. And have you not had that conversation?

100%. That was the exact example we used with the FDA. And they're like, that is not true.

man, I should've called, I should've told you.

So she got superheated right, because the manufacturers are saying it absolutely is true. And so that's the dynamic that we kind of had to push through is that. We need the FDA. When a manufacturer says that, say to them, that is not true. And the healthcare partners, we need to know that it's not true because we believe what the manufacturer tells us.

And so when you say that as a manufacturer, we're like, well, crap. Okay. I guess I better not touch it when the reality of it is, it was never true to begin with. And so Brad or David could certainly add on to that, but it was a very. Passionate topic.

Well, especially since we had a CIO who said we're out to buy a new EMR scanner because we can't order a CT scanner because the vendor won't allow us to patch it.

Oh man. I remember seeing the first scan of our network and they said, Hey, you have this many windows XP devices. Well, it was 2012. You have this many windows XP devices. We're where are the windows XP devices? And it was all medical devices.

all managed by different departments, not under the CIO's purview or control, except when they joined the network.

and to look at it. Theresa might be able to say, okay, all those off my network until they get patched and should fund new ones being purchased. What about that mom and pop. What about that small, critical access hospital? They can't do that. And it's a critical access hospital.

It's in the name. It's critical to that area. We need to keep that up and running. If we go to downtime. That's going to have significant impact to the American people. And so we need, we needed to be able to, how can we safely do this? How can we facilitate this? And so we, we became great preponderance great wanders of our time became community.

One of the key things that a nurse has to do to get their licenses, we have to do return demonstrations. We have to teach everything is about teaching and being an RN. So it became teaching. We had to say, Hey, here's the phone number to the FDA. We would hand out the phone number. If a vendor tells you this, you have to stand your ground and you have to be able to have the right intelligence.

We are in the hospitals before, when I retired out of the military. Even in the military, we we've got people doing a lot of jobs to keep the lights on and keep things moving in the civilian healthcare sector it's even worse and batteries even before a pandemic. And when we put our nurses and our clinicians to the brink, we've got our CIO is trying to come up with new virtual ways to connect people in 24 hours or less.

With all 17 no-fail missions. Oh, by the way, now I've got to, I can't trust my vendor. You need to have those strong relationships and we need to have those conversations. So that's why that imperative really was there is we needed to make sure that we got the action.

Well, then the next two are really about the workforce. So one is increased the capacity to prioritize and ensure cyber awareness and technical capabilities. The second the number four is increased healthcare industry readiness through improved cybersecurity awareness and education. And this is really about the staff. At the time back then we weren't talking about, well, we were talking about clinician burnout and those kinds of things, not at the level we're currently talking about it.

We also, weren't talking about the battle for it staff, although we were talking about it, but now. Really acute. And it's I, I don't know if I want to talk about it back then or now. Cause it's only been exacerbated by some things that are going on. So what were you hoping that that was going to happen as a result of these two things?

Josh Corman, and I spent a good weekend yelling at each other over the phone, making this work. Absolutely. It was that that throughput it is, is getting people out and then a graduate out of school applying for a cyber job. Okay. You need 10 years of. Well, I can't get experience until I'm hired.

Well, you can't get hired until you have 10 and it was that chicken and egg. And so that's where Josh and I, and when we brought this to the task force, we refined it even further. We had to start looking at internship programs. We have to start looking at growing those cyber professionals. It's more than just a degree.

It's more than just a certification. It's that experience. It's the mission. Being able to bring people in and really develop them. And we have to bring in a diverse population. We have to pull them from rural towns and we have inner cities. We need every ethnicity, gender, sexual identity. It doesn't matter.

We need all of this because. The different perspectives. The holistic perspectives in healthcare is what is required to be able to do this. When we have these different perspectives, we can see things in color and in 3d, in some places where one person looking at it from the same area that I grew up in and looks like me and talks like me is going to think like me.

That's dangerous by having that diverse background, we really benefit from it. And so those are the things that we needed to inspire. How do we get that younger workforce? How do we tap into that? And really it's those internships. It's looking for the ability to get an internship, not to put the intern.

If my company were to work for Teresa, we wouldn't put the intern on there by, by themselves. That's that's not safe. But it's to put them with those experienced individuals that have worked in other sectors. David pointed it out earlier we there's a brain drain over those other sectors that have more money, but it's when we get those cybersecurity professionals to see what are you doing?

Well, I'm fixing this switch. I'm fixing, I'm fixing the firewall. I'm putting this denial, but what are you doing? Walk them into the hospital again. pre-K. Get them into the hospitals, get them into the care settings, touch the patient, look at them and say you, the security professional are just as much of an impact as this nurse.

You are saving people. And that's really what we wanted to try and get out there is we need to instill a sense of mission. We get good people. We make good decisions. We grow them. If we are good, they will come back to our sector. So they might go out for a bit. But then it's experience. We bring them back in, they have their 10 years and now we can do it, but we can't do it without that pipeline. No.

Yeah, yeah. We can't afford them at that point, but yes,

that's, we're here. Some have come to fruition and some haven't was building cyber security curriculum into nursing and, and a medical school curriculum, so that when a physician or a nurse comes out of school, they understand the risks with cyber security and the other recommendation, which I think still could happen if we get some sort of support from our governmental partners is when we did meaningful.

They gave money to communities to set up a community health networks, where they actually trained doctors and nurses and, and communities where they couldn't afford. EHR support, they built the hands. Everybody heard of the hin network, where they trained thousands of physicians. They went out and they did cyber stuff.

The HR activities we asked for a similar program to meaningful use, or we could get money out to the rural areas where we could actually train cybersecurity professionals and those rural areas could then share. Resource there. So that was one of the recommendations that we had has that happened yet?

No, but I think some of those things, those concepts really helped expanding the HR to the small mom and pops. We need the same with cyber. We need it. We need something similar and we need some governmental incentives. To help with that. And so I still have my fingers crossed that might happen one day, but that's, that's some of the ideas that are in the report.

So I was sitting around with three or four CEOs and we were talking about this staffing shortage. And one of the CEOs from a major academic medical center said he went through his job descriptions and took out a college degree required on a whole. And cause he's, he looked at it and he goes, look, I can train somebody in cybersecurity to be an analyst.

I can train them to do this. I could train them to do that. And cybersecurity was one of the areas, but there was a couple others and he's like and we now see ourselves as a constant training organization. And we're bringing people in we're training them. We're giving them the next level.

We're giving them access to colleges and universities after we bring them in. And it gets to that if you take off college degree required, It does increase the pool of candidates. So you can hit that diversity. It also gives people an opportunity to earn a living wage that potentially aren't going to have that open up to them.

It was a really, it was really interesting conversation. The only reason I wanted to throw that in there is I want more CEOs to hear that and to think about it because most, not most, but I will say a lot of organizations. If you go in there, there's just a whole bunch of job descriptions that you read it and you go college degree required.

Well, and I really, so I enjoy that teaching it in nursing school and medical school and, and I, I I've made sure that one was in there because when I was in the army, somebody would ask me what, what I did. And I'm like, I am the Army's first cyber nurse. And they're like, what the heck is a cyber nurse?

And I'm like, I don't know, I made it up because there's, who else can sit with the CSO and discuss the V land structure where the IV pump is and why it's a bad idea to put your cell phone charging on the anesthesia machine just USB. It's just for power. Which is by far my favorite, his picture I've ever seen in any textbook.

But those are the things that. It is often said that the clinicians are our greatest vulnerability. They're out there. They're causing problems. And as a clinician, myself, I've pulled a few things in my day, but it was being able to understand that. How the cybersecurity impacted that patient care and patient care impacted cyber security. I was able to start to open those lines of communication. When I came to my company, I was the first nurse with the cyber background and, and that's when we changed our modality to include cyber clinicians, because.

We need to stop having a meeting where the CIO is here, the Cisco is here and the CMIO and CMO don't even show up to the meeting. They should not be at the point where a clinician is arguing with a Cisco and then they get involved. It should be a cogent family. You can't really have that. If your clinicians do not understand some of the basics.

By including that, in that care in healthcare, we've had gel and gel out. When you go into a patient room, you got a gel in and then, Hey, how you doing Mr. Russell? Good to see you today. I'm Brad, you're your nurse. And then as you leave gel out, we empowered our patients. Hey, if you don't see your clinician do this, you tell them you want that.

It was great. Did it say Theresa, you got to make sure you take a shower, make sure you've used. So wash your hands. No, we didn't do that because there was a base level of hygiene that was expected. We just added to that base level with a little bit more. What did we do as cyber security? We didn't have a base level.

There was nothing at home. We didn't talk about it. We just said, when you come to work, you use multifactor authentication. You got to lock things every two seconds. There was not an understanding because at home. On their cell phones, because I know every single person on this thing has gotten me well, I've got an iPhone.

This is the way it works. It's easy. It should be, healthcare should be like this iPhone, but it's not because it is people's lives. It is other things connected. And by having that education on those two of those clinicians early on, we can establish that base level of cyber hygiene and then add to it when we get to work.

number five, I'm going to skip, right. It's essentially talks about mechanisms to protect R and D and intellectual property. And I understand where that would come from and why that's important. Number six, though, I want to hit on before we quickly pivot to how, what has changed in the last five years and how are we doing?

So the last one is improved information, sharing of industry threats, weaknesses, and mitigations. So you talked about. Hi SAC and sharing information. And most CISOs that I know in healthcare right now are connected in there. They're monitoring that. So that has to be considered a win out of this, I would assume.

Yeah, 100%. I mean, I think the other win is the creation of the cyber working group under the health care sector council. And that literally. The formation of that group to the recommendations and they're bringing the recommendations to life. So they have working groups that are really trying to address all the issues.

And there have been a lot of information sharing, a lot of good white papers, a lot of good content. That's actually usable. It's one thing to write a 99 page a hundred page report. That may or may not be usable by someone. The work of the cyber working group is really creating things that people can use.

And that has really driven the information sharing. I mean, I would say before all of this work, we would have never been notified by the federal government that healthcare was under attack for a cyber security through Twitter. Yeah, chief, whatever his title is. I never got any of the titles, right. For the governmental people, but he was tweeting to healthcare.

Hey, healthcare, you there, you, you have an intimate threat that has never happened until after this work occurred. And so I think we now have visibility at the federal level. That w they do have to communicate with us and they have information they could share and they can share it in a way that we all understand. And yeah, it's still a work in progress, but exponentially better than it has ever been prior to this work.

I've seen a lot of people adopt. Frameworks, this frameworks and other things. at least over the last five years, there were some that have adopted it as far back as 10 years ago. But over the last five years, I hear a lot more, even the smaller systems talking about yeah.

We were using this framework. This framework is. I mean, it is it's something anyone could pick up and really build off of measure off of the whole, whole nine yards. I do wanna, I do want to touch on this in the last couple of minutes we have, which is. How are we doing? We sort of talked about this over the, over it, but I'd like to hear from all three, how are we doing?

How do you feel about the work and the impact that it's had and how are we doing in this cyber world it's constantly changing. So obviously work, you did five years ago, you could get together today and start over. And because the world changes every day. But David we'll start with you, talk a little bit about the work and its impact, and then how do you think we're doing.

So I think the attack surface has gotten a lot larger. I think the number of people, the practices, the smaller organizations are being hammered. I mean, post COVID, my two doc dental practice, he's doing dental hygiene. And he's telling me about how he got attacked during COVID. And he said, do you know anything about ransomware?

He said, cause my machines were all locked up. When I came here. It was identified as the next of machine that he had on the network that was used for scanning x-rays for legacy machines on patch, old versions, entry point. He said, I've learned about Bitcoins. I learned how to restore my machine, the tax.

He said, why would they attack a small practice with two doctors? I said, because they're working from home not only exposed more vulnerability, it's created more places for you. Patient records are being accessed. The word is also creating more access points to backend hospital systems where they become also the entry points for attacks.

More credentials are stolen. All these are the same byproducts of we've expanded our delivery net systems. We've expanded places where we're accessing. We're trying to now with information. Start to leverage the power of having an it backbone that can accelerate improve healthcare, but we sure have increased our attack surface and the sophistication of the attacks are gotten way better because these organizations run light businesses.

David, I can ask you 40 follow-on questions, but very, very briefly. We're relying on people. We need people, we need people. We hear that all the time, but you're the technologist chief technology officer. We have two clinicians here, but you're deep in the technology. Isn't it going to be machines, identifying those attacks and giving us a lot more notice when they're happening and shutting down certain areas. Isn't that the future of what we're doing.

The future is really how do we leverage all the newer technologies with instrumentation, IOT technology, AI at the edge, inferencing at the edge? How do we make the system smarter? How do we not make necessarily the clinician, the point of having to decide, should I click on this?

Should I do this? They should be focusing on treating the patients. The system has to be smarter. We have to have that intelligence built into the network, built into the system. Built-in into an infrastructure that allows us to manage this distributed environment that we're creating for better healthcare delivery. So there's yes, there's. like a really true distributed infrastructure, so care delivery.

So Theresa, you're going to get the last word I'm going to, I'm going to ask you about how we're doing, but Brad, I want to go to you first and say, how is the public private doing? Have we made progress with how we're working? The government agencies, federal state, and, the private sector, or have we made a significant amount of progress?

We have, we really have, and Theresa pointed it out. It's the shields up alerts that we get from HII SAC it's and it's coming from that federal side. It's the tweet it's it's these, the bodies that are sharing the information we can.

And again, there are certain classified levels that we can't share. Well, actually it's not we anymore I'm out. But the they can't. But they can say the right things that causes all of us to take a look. And the other side of it is we've moved forward. We've moved down the strip, but unfortunately our enemy has moved as well.

The fact that now when we go in and sit down to talk to us, so we're not only talking to the system anymore, they're not sending the intern to talk to the managed service providers. They're sending the CMO and the CFO. They are sitting in the room and their eyes are no longer glazing over. Now. They're not saying, what have you done for me lately? Instead, they're saying, what can you do to protect me in the future?

Fantastic. And Theresa close us out. Like you started us. How are we doing in healthcare? Are we making progress?

Yeah, I mean, I think we're making significant progress, but to the point Brad and David made, we're not as fast as our enemy. So we have to continue making as much progress. Like if one of the things, if I had to go back and look at our healthcare work over in the cyber security task force, we did not talk about business continuity at all. And so if I were to go backwards in time, I would spend more time on business continuity.

And how do we get organizations prepared for when the thing happens, because it's going to happen. And so we can all until David invents, the best technology that protects us all it's going to happen. And we did not have any recommendations on how to prepare your organization to live through a four week scripts.

Situation. And so if I were going forward, I think some of our recommendations still haven't been addressed and they need to be addressed. So I think we need to continue to stay on the gas pedal, but I think we need to add some of those more business oriented items that we did not talk about in the task force, because we just weren't knowledgeable at the point. And now we are, we have different, we know more than we did.

I think to your point, theresa, five years ago, ransomware in healthcare was just starting. There were only one or two incidents, and now it's pervasive. They've gone really sophisticated and they'll just take you down

and you can fail like the Hindenburg, or you can fail like the miracle on the Hudson. They had two statistically different results. What are we going to choose to?

That's a great analogy. I'm going to use that. Thank you. I want to thank you guys. Not only for the work that you did and the amount of time that you put in. But you made me feel I was kinda sad. I wasn't on the task force. Can you believe that? I just kind of say you made me feel like you guys really bonded. It was a great team and a lot of great work and stuff. So. Thanks again for coming on the show and sharing this information. We will put a link to the actual report it's still worth reading five years old, very much worth reading. A lot of great content in there. I, I went through it again today and again, really highly recommend people. Take a look at that. And again, thank you very much.

Okay. Seeing all of you.

What a great discussion. If you know someone that might benefit from a channel like this, from these kinds of discussions, go ahead and forward them a note. I know if I were a CIO today, I would have every one of my team members listening to a show like this one. It's conference level value every week. They can subscribe on our website thisweekhealth.com or wherever you listen to podcasts. Apple, Google, Overcast, everywhere. Go ahead. Subscribe today. Send a note to someone and have them subscribe as well. We want to thank our Keynote sponsors who are investing in our mission to develop the next generation of health leaders. Those are Sirius Healthcare. VMware, 📍 Transcarent, Press Ganey, Semperis and Veritas. Thanks for listening. That's all for now.