Today on Insights. We go back to a conversation Host Bill Russell had with Brian the CIO and CISO at Faith Regional. The topic of discussion was The Many Hats of a Small Health System CIO with Brian Sterud. And Bill asks Brian what DOESN’T he do in the constraints of a small healthcare system?
Hello and welcome to another episode of Insights. My name is Bill Russell. I'm a former CIO for a 16 hospital system ???? and creator of This Weekin Health IT. A channel dedicated to keeping health IT staff current and engaged. Our hope is that these episodes serve as a resource for the advancement of your career and the continued success of your team. Now onto the ???? show.
Today on Insights. We go back to a conversation host Bill Russell had with Brian, CIO and CISO at Faith Fgional. The topic of discussion was the many hats of a small health system. Bill asks Brian, what doesn't he do in the constraints of a small healthcare system?
Your role is interesting. You're the CIO and CISO.
I've been here for about nine years. And a lot of things have changed and we've built it and done a lot of really great things here, I think, and built the team. As obviously over that course of time security has changed quite a bit. Not that it wasn't a focus nine years ago, but boy is it different today. And through that process given the size of organization we are, it's really been you know, it would be difficult probably for us to have a full time CISO. And so through conversations with our CEO and how we can work together the thought was, can I fulfill that role, be in that dual role, I know there are others that, that do that kind of thing.
But it's probably not the majority. And so come up with ways to do some educational things, and then there are some other vendor arrangements that we work through that help through that process. So I still have that responsibility of all the things that you would assume with the CIO and then also have the security officer's side of things as well.
Do you have a strong technical background?
Yeah. I always kind of joke with my staff. I used to be really useful and I'm not as useful. But the way that I cut my teeth was being very hands-on technical. I was certified in a whole bunch of technologies coming up in my career and through working at resellers and that kind of thing.
And so then grew into a leadership role. And so most of my, that technical expertise was done infrastructure type items.
Wow. The smaller health systems, you're really an active part. One of the things when I went into my role, my team kept saying, stop trying to be the CTO. Stop trying to be the CISO. We have those within our organization. But the reality is you, you play a little of those roles in the decision-making and the technology selection process and whatever, in all aspects and really the smaller the health system, the more multifaceted you have to be and able to step into those conversations.
Yeah, you wear multiple hats. You hear that all the time. We have a fantastic team that we've really built smart over the last nine years and try to grow iIn the most appropriate way. Very strong teammates and other leadership within it that, that help help us get our job done every day.
But one thing I would say, Bill is that when we look at our organization compared to some of the very large organizations that we interact with, we can be really nimble because of those multiple hats that we wear. And then we can be sometimes more effective because of it. So in other words, it's not the security guy throws something over the wall to the firewall guy that has to get changed where there's all those silo teams. We really have a cohesive team that works together and I think can problem solve faster because we don't have those different lanes so to speak.
Yeah. Don't have as many meetings. If three of you happened to go out to lunch, you can actually start talking about the redesigning the network and those kinds of things. You don't have to say, Hey, let's call meetings over the next three months to decide if this makes sense. Talk about the CISO role and how is risk and security handled at your organization?
You're the CISO but is there a governing board? Is there a health system wide group that helps sort of set the direction around security?
Yeah. So we worked really hard and are proud of a lot of the things that we've been able to do. So while I serve in that role, we have a security committee that is across the organization and involves stakeholders from, among others, HR, our physical security, our compliance team, our risk folks, IT folks and sit on that committee and make a lot decisions there and execute on a lot of the things that we're looking at. A lot of what leads into that are things like are our annual risk assessment that we do.
And then that team takes that and we prioritize the work that needs to get done. And then yeah, through that committee for the most part being in senior management, I participate in our board meetings. So at the board level They get updates, quarterly. All of IT but specifically also certain metrics that we track on the security side of things. And then annually, we do a presentation on the state of specifically on cybersecurity.
The nature of this caused, well clearly it's caused concern for all of us. I mean you have Scripps. You have Sky Lakes Medical, you have St. Laurence and others. But they went after hospitals of your size with ransomware. That has to have caused some concern. There used to be this mindset of we're small enough. They're not going to come after us. But they are coming after hospitals of your size at this point. Has that changed the conversation somewhat?
I think due to some of the things that have gone on across the country, I think some of the things that have even happened locally here, we do some work for and have relationships with some area critical access hospitals as well.
So it's become apparent the target that they are. And I just don't, the conversation about convincing our our senior executive team or our board on the threat is so much easier unfortunately than it was four or five years ago. It's very clear and we've actually seen many of the things that have happened and some of them firsthand.
And so the threat's always there. Right now much like this isn't a new thought much like everybody else, our preparedness is preparing for when it's going to happen So we've actually spent a better part of this year on pretty intense lessons learned on how do we operate if the system does go down?
And one thing I don't think people always do is everybody I think is prepared for 24 hours or less. Once you start getting past that threshold things get a lot more complicated. So we've spent a lot of time across the organization, one of our project managers has led an endeavor where we're working on that process. How would we operate? How do we get bills out the door? And then recovery. So if it extended beyond 24 hours, how do we then recover from it properly? Make sure that patient care is first and foremost and then make sure that we can get bills out the door. And that kind of thing, it makes sure that we have, we don't have an issue from a revenue perspective either.
Wow, thanks for tuning in another great episode. If you have feedback for us regarding this content and materials, or if you would like to help us to amplify great thinking to propel healthcare forward, which is our ???? mission, please send us a note at [email protected] Thanks for listening. That's all for now. ????