Top 5 issues facing Healthcare CIOs. Today, #2 Cybersecurity.
Today in health. It, this story is the second item of our top of mind issues for healthcare CEOs. Cybersecurity. My name is bill Russell. I'm a former CIO for a 16 hospital system and creator of this week in health. It. A channel dedicated to keeping health it staff current and engaged. Just quick reminder, this time. Very quick. We have four shows for next year, this week health news to stay current. This week health conference for keynote interviews and emerging products. This week health community, where we hear from you about interesting solutions to the problems facing healthcare from the people who are solving them. And finally this week health academy, where you can go or send people to learn about the intersection of technology and healthcare, you can sign up at this week. health.com/shows. All right. We said, we're going to run through this week. The top five. Top of mind issues. For CEO's from the conferences I was at recently doing interviews and having conversations. Those were labor, cyber, digital automation, and caravan use we'll cover the next three over the next three days. We covered labor yesterday. And went into detail on the battle for staff and retention. Today's cybersecurity. 2020. Or 2021, take your pick. It's hard to really determine where this actually happened, but let's just say over the last 24 months, It felt like a scene from the garden of Eden. We ate the apple and we found out we were naked exposed at risk healthcare is vulnerable. There were warnings clearly before that there was one a cry. Was a wake up call, but it wasn't until hospitals started being held hostage. And being taken offline for days that we started to realize that there was more involved here than a slight ding to our reputation or a small fine. I'm not saying that it wasn't aware of the risk before, but we couldn't sell it at most of the health systems. The events of the past 24 months gave us credibility. In our claims that the sky actually was falling. No longer was the, Cisco. Chicken little the worst had actually come to pass and we were right. But you know what? It's not that great being right systems went down sometimes for weeks at a time. And sometimes with data loss that will never be recovered. There was at least one incident that claimed that a cyber event had caused a death. Again, not that neat being right. So what now you don't want me to recount all the incidents, Skylake scripts and countless others that may not have been as prominent. I've told you that I would cover these by putting my CIO hat back on. And telling you how I would be approaching this challenge today. If I were in the chair. Let me start by saying this. There is no one size fits all solution here. My listeners come from health systems with thousands of it, staff to Jess, 20 it staff. These call for different tactics, different investments, and AMC may have risks that a single hospital CIO may not have. So let's explore some of the common things before I explore some of the distinct challenges. All right. I think the approach I would take right now is we are under attack. At all times we are under attack. That is our posture. And that is what I would take from this day forward. Every day being treated as we're under attack. Let's have our standup calls. Let's have all those procedures in place. Where we are treating it. Like we are under attack today. Do we have our defenses in place? Do we know what's going on? Which brings me to my second item here, which is, I would know the threats. No who's after the information that you have know who's going to benefit the most from shutting down your health system. No. The tactics that they're using stay current on their approaches and how they are infiltrating systems like yours. The third thing is assess your defense. So really assess them. You have to be honest at this point. One of the things that I found over the years is that people will say things like we're all vulnerable. That's great. And that all may be true, but at the end of the day, you have to honestly assess your defenses. And I'm going to come back to this in a little bit. And talk about what you do with that honest assessment. But at this point, Really look at it. Ask yourself, the question, are we vulnerable? Don't just say well, everyone's like this. No. How vulnerable are you? How prepared are you? And you have to have that assessment done. And it has to be honest, if you need a third-party to do it, which in most cases we do. Have that done by the third party? Number four assume they are already in your network. And at that point, Understand your ability to identify their movements from within your network. Assume they're in because they probably are. Already in your network and understand that this capability of identifying what they're doing. And how they're moving within your network is a must have moving forward. The next thing I would say is assume you will be completely ransomed at some point and plan accordingly. All right. So there's enough information out there. We do a great webinar. With the people from sky lakes, the CIO was kind enough to come on and share his experience in some detail. So if you want to know what it's going to feel like. He shares what it feels like. And what goes on in those first couple of minutes of the cyber attack as you're watching systems just shut down one after another. Not being able to gain access to your systems and having to rely on vendors that you previously had worked with, but they're part of your cybersecurity insurance contract. And so they come in and actually ask you to step away from the keyboard while they do they're forensics on the event itself. If you have that information assume you're going to be ransomed. What is your plan to come back online? What is your plan? Are you going to pay the ransom? Are you not going to pay the ransom? Are you going to start a recovery? Do you have the systems in place? Have you air gapped your backups? Is it enough to air guy, your backups? Do you have immutable backups? It's a, is it enough to have immutable backups? What, what is going to work and what is not going to work. But plan accordingly, you're going to get ransomed plan accordingly. That's how I would be thinking about it right now as a CIO. All right, let's move on. So from the point of an honest assessment plan, your investments wisely. Acknowledge what you can and cannot do well. And I'm going to get to this in a little bit, but the smaller health systems, there's an awful lot of things you cannot do well. And you're going to want to look outside your four walls for some help, and who's going to help you. Today to prepare for an event and in the future, if you actually have an event so acknowledge what you can and cannot do well and go find help. Second thing is be open and honest with the executive team. And the board went asked. Hide nothing from the leadership. You don't want to be found, hiding important information from those that could have made a difference that can make the investments to shore up your foundation in your system. I wouldn't want to be that CIO. Who's trying to explain. Why they did not have an honest assessment or why they withheld any information about that environment? Honest open here's where we're at. The executive team needs to be brought into the loop. The governance team needs to be brought into the loop. So that they can determine what the risk is to the organization and what needs to happen. So that's table stakes. I assume everyone knows that. I just wanted to say it again out loud. And then the next thing is ask for help, seek help, be open to help. This is not the kind of thing. That every health system is going to have the resources and the wherewithal. We need to utilize the resources that are out there. That are designed to help us and designed. To bring us together as a community to fight this. This threat. All right. The next thing I would say is planted complete strategy. I remember standing at a conference, listening to CISOs share. And person after person talked about their education program. And while I was impressed with the programs they had developed, I couldn't help. But to think how unsophisticated the approach was to cybersecurity. You have to prevent, detect, remediate and recover. And that's not even a complete list of the things that need to be discussed and planned for. My point being you can't have a single threaded approach to cybersecurity. It needs to be multifaceted. You need a technology layer, you need a people and education layer. You need a remediation layer, you need a recovery layer. You need all those things in place. If you are going to be able to be effective in the world that we currently live in. All right, let me get moving here. I'm running out of time. So next thing I would say is no, what your contracts say? It's interesting. How many times this came up in conversations, post breach event? I didn't realize what my BAA agreement actually called for. I didn't realize what my cybersecurity policy gave power. During an incident to others and called for me to utilize companies, I wasn't familiar with. We didn't have an agreement that protected us from an incident at our community connect site. It's things like that, know what your contracts say? Those are just a few stream of consciousness. Thoughts Let me address some of the specifics for smaller players. You can't do this on your own. You have to find the right partners that can help you to build a sustainable program. You can't do it with one cyber person and an engineer. It's not even remotely possible line up the players that can help you get them lined up today. Prior to an event. For an AMC, you have to be aware that nation states want the information that your research teams are working on nation states. You know, the ones. The, the ones I'm talking about, the ones with well-funded armies of cyber specialists, the tactics are varied. And while a traditional phishing attack may not work in this case, they have other ways. And in those cases, you have to be tracking the motion of critical information around your network. You have to have complete visibility into the motion of your critical data assets at all times. This is going to serve you well, since attacks are no longer just being initiated from afar, disgruntled employees are now offered money to get back at their employers. Place this code on your network and we will take care of the rest ransomware as a service. Oh. And by the way, if we successfully ransom your organization, we will give you a cut of the cryptocurrency. You have to track the movement of the data. In order to do that, you have to have a very accurate data inventory as well. All right. As I said this is going to be exhausted. I just wanted to share a few thoughts. This is top of mind for CEOs and it should be, it should have been for CEOs and it should have been. Probably for at least the last decade. Now we know. So let's try to make 20, 22, a transformative year in this area. All right. That's all for today. If you know someone that might benefit from our channel, please forward them a note. They can subscribe on our website this week out.com or wherever you listen to podcasts, apple, Google, overcast, Spotify, Stitcher. You get the picture. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders. VMware Hill-Rom Starbridge advisors, McAfee and Aruba networks. Thanks for listening. That's all for now.