December 10: Today on TownHall, Sarah speaks with Ratana Kong DeLuca, Vice President of Professional Services at First Health Advisory about cybersecurity. Ratana shares her extensive experience in the industry, focusing on the necessity of cybersecurity for patient safety and operational efficiency. The conversation covers strategic elements of a strong cyber resilience strategy, navigating limited resources, the importance of external expert perspectives, and fostering diversity in cybersecurity roles. How do organizations stay creative in their cyber resilience strategies? What are the best practices for keeping up with emerging threats? They also address maintaining vigilance against emerging threats and the significance of mentoring and creative approaches in cybersecurity education. Ratana emphasizes the value of people in cybersecurity beyond technology and shares personal insights into her career journey, stressing the importance of making cybersecurity engaging and relevant in today's fast-paced information environment.
Donate: Alex’s Lemonade Stand: Foundation for Childhood Cancer
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
This episode is brought to you by First Health Advisory. Health IT leaders strengthen and streamline your healthcare system with First Health Advisory. They offer comprehensive cyber risk management, governance and security optimization, and strategic advisory services to enhance patient safety and bolster cyber resilience.
Their expert solutions ensure compliance and boost operational efficiency. Visit ThisWeekHealth. com slash First Health Advisory today and elevate your cyber strategy with First Health Advisory.
Today on Town Hall
you have to keep being creative
so then it's not just for them, another alert or another thing they have to worry about or brush off and not take seriously. TikTok kind of ruined us, right?
Because all those video clips it's short sparse of videos. And that's now trained people to have the attention span of those. Short amount of times only and not to have anything longer.
My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health.
Where we are dedicated to transforming healthcare, one connection at a time. Our town hall show is designed to bring insights from practitioners and leaders. on the front lines of healthcare. .
Alright, let's jump right into today's episode.
Welcome to Town Hall, where I am honored to be able to be joined by Ritana Kondaluka today. She's Vice President of Professional Services at First Health Advisory, and she has been in the industry for over 20 years at the operations provider and administrative level.
levels. She's been in cybersecurity for over five years as a consultant, advising on cyber risk strategy and enterprise resilience. And prior to that, she was a chief compliance, privacy, and information security officer in the healthcare industry for five years, and then spent almost 10 years working in state government regulatory enforcement agencies, focusing on advisory and regulatory compliance.
Now she's working at First Health Advisory as Vice President of Professional Services, overseeing all the professional security. services, which include vCISO, strategic services, risk assessments, and privacy and compliance services. Ritana, welcome to the show. Thank you for having me, Sarah. It's so great to have you because you are a busy woman and a woman in security, such as cybersecurity, isn't as common.
And we may say something like, oh, strategic services, risk, privacy, compliance, which is bigger than ever, whether that's from the drive for AI and better programs, for patient engagement. Everything has this virtual component which has introduced so much more complexity into our environment. For you, how do you view the role of cybersecurity in healthcare as it truly increasingly becomes part of patient safety?
that's a great question, Sarah. So, honestly, for me, it's always been something that's necessary. It, having cybersecurity is basically a part of, contributing to patient safety. And so, without those controls in place, like, we wouldn't be able to operate any of the medical technologies that we have available, in the healthcare space, at least to be able to use it properly, safely.
And, obviously securely to be able to like have it used meaningfully for the patients, in the treatment of healthcare. When an organization is looking at bringing new solutions in or where we get trapped often is re evaluating doing those annual vendor assessments or risk assessments for our systems.
What are some key elements of a strong cyber resilience strategy, especially if something you've had in place for years is now deemed not safe enough to be in your environment? How do you mitigate towards that? Well, overall, the cyber security resilience, cyber security strategy itself is making sure that it's a living program, to be able to adjust to the times.
It's not something that's static, it's very dynamic, and it should be fluid, adjusting to the change, to the threat landscape, and to the times as, new technologies are introduced, new things are being introduced into just the world around us. And so one of the things that is critical to it is having the right people in place.
to be able to help manage, the fluidity of the program as it needs to change and make those adjustments. And so. It's making sure that you're investing in your folks, your team, your leadership, and even the people that support the cyber security program at all levels.
And yet you have limited resources and sometimes limited funding for a cyber program in your organization. What's the best way a company or healthcare system can balance those expectations and needs? I mean, at some point in time, it's all about getting creative. And then again, if you find the right person, find the right group of people they'll know how to get creative when it comes to making those adjustments, working with a limited resources.
And, I guess from a resource perspective, a lot of people think it's technologies and equipment and things like that. Which is true in part, but you know, the biggest investment that you'll need to have to worry about is, again, it's the people, because after a while, technologies will reach its limitations as far as what it can support and provide.
It can't do all the thinking, that you need to be able to think ahead, and adjust to the change of the threat landscape and also like in the cyber landscape as well. So you need the people to be able to continue to maintain that, keep it up and, adjust along the way. So, limitations of the resources, again.
May be tied to technologies, but you know, it's the people who are basically limitless when it comes to their capabilities, and their thoughts. I love that answer because you said limitless in their abilities. And yet, if you are full time with the healthcare system and cyber is your focus, you're also enmeshed in your own environment.
I've long been a fan of having that supplemental support in areas where it is changing so quickly, or there's so much regulatory and compliance componentry mixed into all of it, that regardless of the size of an organization, I'm a fan of having Like you, as an example, on retainer. When you see partnerships or relationships like that, how much stronger or safer does it make an organization when either you're there 10 hours a week or a month, depending on the complexity of the organization?
Philosophically, how is that a win for the organization? I mean, I think it's great to be able to have somebody to kind of have that external view for you, because again, once you're entrenched in the operations, the day to day within your facilities, it's really hard to separate the forest from the trees at that point.
You need, and it's also hard to find time to just take a step back and catch a breath and see where exactly you are. Having somebody come in, even if it's just for a couple hours, even if it's just like, touch points, every couple months, quarters, whatever it is, it'll give you like that refreshing view that you need to kind of, realign yourself and reset yourself to see where you are and then not always constantly, be your own judge and your own critique.
So for organizations that tend to keep everything in house, what are some best options or practices for them to stay current and active in their own resilience programming? I think it's good to have colleagues who are available for you with the right mindset amongst your team, having people at various levels and various experiences and skill sets to be able to kind of contribute to the diversity of your team itself, different points of views, different thought process, and even different, engagements that they have with other professional associations.
The other thing to do is have more peer to peer interactions within your own professional line, regardless of your role, in other facilities. Maybe they could, they, you could have a confidant that you could really talk to about certain things or you would just share ideas. I know a lot of states, a lot of regional areas are doing a lot of that stuff now, so participation in that is growing.
And it's also essential because you can share like problems and learn from each other at that point. Which that whole peer involvement and those different work groups are so key and there's no shortage of them in the cyber universe to always be sharing those open ideas and perspectives, ideally in a safe environment.
What are you seeing today, though, with some of the main challenges that are facing healthcare systems and providers? Well, I would say it's going to be keeping up with our threat actors, learning how to think like a bad guy, which not a lot of us are capable to do.
And plus it takes a lot of energy to kind of really get creative and catch up with them. We've seen that a lot. The other problem is, again, this ties into limited resources, but, being able to maintain downtime, having the right continuity plans in place, contingency plans, response plans in place to, to keep up with the threat and the levels of attack.
And we've seen now that the attacks have been, you know, deeper, having more significant impacts than what we've seen before than just like, taking down your email. It's now like completely disrupting hospital operations for not just like a couple weeks, but for months at a time and even up to the point where it's like been almost a year or so.
The fact that there are literally threat actors everywhere that spend their full time job looking for ways to get into the systems, how does a security professional create potentially what I would call the nefarious mindset or have an awareness level without. The sky is falling so that the people in their organizations appreciate the type of education and perspective that are being brought forward by their security teams, because what you learn at work to stay safe applies to your house as well.
And I feel like that's the one thing that I do appreciate about cybersecurity awareness and training, et cetera, is that. It is applicable across all walks of life. So for those of us that are set towards a compass of good, our job is to, improve the human life through healthcare as an example.
How do you develop a little bit of a bad guy thought process? I would say, try to put yourselves in their shoes, but it's really hard to really want to do that. And I'm not sure that everybody really wants to think about that, because of course, when you start thinking about that, you start thinking about all the Bad things that could happen and things like that.
And that's what leads to a lot of like loss of sleep for a lot of people in our areas, our fields and our professions, because they start going down that path and then they realize what they don't have in place to be able to protect themselves with that. And then that creates a whole level of stress and frustration.
That's really hard to manage. I would say, I mean, there's a lot of other channels and associations. I know there's things with the FBI and CSUN, and even all these other, get togethers that they do from a conference perspective to kind of educate people on that. We have those experts available, not we as in like the global professional, we in this profession have that accessibility to get that information and learn about it.
But honestly, I think it's just, all it needs is just time. I think we're such. in a reactive state, and not because it's intended to be reactive, but because there's so much going on, so many moving parts, it's really hard to take that time to step away and start learning and trying to understand and, really assess, what the state of things are and start thinking like the other side to create more proactive measures.
There's such a shortage of security professionals, both stateside and abroad. So as we're looking to fight the bad guys, as I call it, there are so many open positions. And cybersecurity is an amazing career for women. For many reasons, exactly what you just shared. We think about the what ifs, we think about protecting our families, we think about how to Safeguard our own environments.
That's our nature. And you're a successful woman in cybersecurity. What has your journey been like? And some of the faced along the way, and very specifically, why you will encourage women to go into this field? Well, I'd say my journey began, unexpectedly into cyber, although I guess in hindsight, it really leads up to it perfectly.
But, I started off in healthcare operations, from the administration side to provider side, back to administration, focused a little bit on the regulatory compliance side, privacy, and then ended up with cybersecurity. And really how that ended up in my lap was just managing all the breaches that I've had throughout the course of my career, which really inspired me to do more because You realize the impact that it has truly on healthcare and the operations.
And I realized that I would have been able to do my previous roles before, on the provider side, administration side, operation side, if there's a cyber attack. And so seeing how many lives that it could impact potentially impact because of this, it kind of, led me into, maybe I should just focus on this.
There's so many things that so much good to be had that you can do. And it was, it's been the journey, I would say a lot of sleepless nights, but, you kind of see the value for it at the end. And I think for women, it's great for women, just because, like you said, we have that inherent caregiver role that we want to take care of things.
We want to make sure, fix all the boo boos and. Make sure that nothing, no one gets harmed or hurt and try to prevent as much as possible. But on the other side is like, there's also the stress of becoming a caregiver, being that caregiver, not just for your family circle, your family unit, but also to the organization, to your team, and then to, the potential lives that could be impacted if, the ball was dropped, one way or another.
And that's a lot of pressure to put on anybody, even for women who can shoulder it's already a lot for women to be able to bear that burden on their Except for the fact that when you think about maybe the emotional, mental, and physical taxation that our jobs can take on for us, we're somewhat wired that way and willing to admit when we need help, more often potentially than our male allies, as I like to say.
And There used to be this stigma that if there was a security breach or a security incident, it automatically went on the shoulders of the security professional. And often, and I remember this happening to several people in my ecosystem, they lost their jobs because there was a breach or because there was something that occurred from a cyber perspective.
And yet, you did everything you needed to be doing organizationally, quote unquote, you did everything right. How much has that dynamic changed? Like if you see a healthcare system that has The right resiliency, the backup, the recovery, the impact analysis, the, all the things you need to be doing to have a safe and healthy security posture in your organization.
And something happens. What is the trend today? Are people still getting exited from an organization because something happened? When usually the human is the factor and not the human who created the program, it's the human who created the breach as an example. What are you seeing today? I think it's a mixed bag honestly, because we, again, we don't know what we hear on the other side that led to, that open vacancy or somebody stepping down.
It could be a combination of perhaps a security professional says, like, I've had enough, I've done what I could, and if the blame can fall on me, so be it, I'll just step down, or somebody else can do this, not me, I've had enough. The other parts could be just maybe the fact that the person in charge, and I really don't want to say in charge, but the person who's responsible for managing the cybersecurity program.
wasn't able to do it and they couldn't get the support they need either. And they just, they're just happy to, again, exit and, or maybe, depending on the leadership culture and things like that, they just decided it's not going to work out. So I would say it's really hard to follow.
But I just know from a cybersecurity perspective, if you can't really judge your own profession because the struggles that they go through, you can appreciate the problems that they encounter. And again, like there's a lot of things outside their control that they It wouldn't be right to get to blame them for it.
I would agree, especially because too often, even if you point out these are the risks that are in our environment, are we willing, and I've gone this route before as an organization to say, everyone in the C suite is willing to sign off on this level of risk acceptance because something might happen and yet we did everything we could based on.
Staffing, budgeting, et cetera, can sometimes put again, that leader in a precarious position to say, are you willing to sign this as a team? And then you think culturally, well, if I'm working in an organization who doesn't want to be all in on the things we're willing to accept the risk for. Do I want to be working here?
And yet it's not easy to switch jobs all the time. Even in a virtual or hybrid environment, you can't just say, hey, I'm going to go to the next organization as an example. And again, as women, we like the stability. We like being able to know that we can take care of our families and ourselves and our organizations because the role that we're in has a level of stability that may not even be true because Things happen in all organizations, and yet you take a high risk role in a space where you need to mitigate personal risk.
That balance isn't always commensurate. As we extend the ability to better support and encourage diversity, especially for women in cybersecurity roles, what are some of the things that we can do that help overcome the things we've been talking about today? I think, starting off on the colleague side, I think making the opportunities available for diversity is essential and that means having not just one person come in and make the entire change, but already having a support group to be able to make the opportunities for people to And that's regardless of any type of role, whether it be in a leadership, cyber security role, to even down to your analyst, everybody's going to need a support group of peers to be able to work together because it's not just one person running the cyber program, it's the team, it's the organization.
They're going to be responsible for making sure that everything is followed and meets all the elements for, cyber security program. So, from, I would say from the organization perspective, the culture needs to be accepting and supporting of a cybersecurity program, because that will take a lot of the stress off the shoulders of the people who are managing the program.
They shouldn't have to fight to be able to get certain controls implemented, to be able to allow the organization to continue operating safely and securely. Right. So the opportunity is definitely going to be something that would require the efforts of both sides. And we talk often about mentoring, in general, from a career perspective, and how important it is to have those that can guide you in your career.
For those in cyber roles, Should their mentorship be coming specifically from cyber or is, to your point, the cultural leadership aspect equally important and cyber professionals should have mentors beyond that cyber realm? I think so. I agree. I mean, it's going to be a combination, right? Because those who are entering the cyber world will have some baseline skill set that they want to focus on and build on.
And that's something that they would choose themselves to get into that role. I think a lot of the mentorship happens when it comes to applying what you've learned and learning how to use it meaningfully and applying it to the real world, right? The real operations, how things truly work, and that includes things like how to communicate with people, how to convey messages clearly to people from your cyber mind and translate it into the operational perspective.
So the non cyber, non technical folks can understand. And also just just how to deal with management, how to work with people and how to understand how the operations work in order to be able to find ways to get cyber controls inserted into it, to make sure, to show that it's not like a disruption or an additional add on, but how it can work together and flow.
Personal mentoring, a huge win. I think of mentoring also being an organizational responsibility, almost like coaching, guiding, mentoring your own. company in their cyber fabric or their programs. How do HIT leaders and potentially even the CIOs and CISOs best prepare their teams for what it means to have a robust security program inclusive of emerging threats?
I think it's more, it's, that part would be just a lot of education, right? Getting them to understand it as well, but I think it only works well If the leadership understands it too, and understands the impact to be able to educate their teams of what the threats are, what it would mean, so they can understand to take things seriously for a certain type of, you know, if they like, just I want you to monitor alerts, right?
from our SIEM, so they can do more passive monitoring if they don't understand and it's just like a directive to do it, or if they understand what the impact could be for certain indicators of compromise and attack, they know that if there's an alert that comes in, they could do it more actively and proactively and alert and understand the implications so they can react to it and respond to it, better.
Is there a role within health systems that are great feeders for cyber programs? I asked the question from this lens. As a CIO, I loved hiring nurses for my informaticist or for some of my module programs within the EHR because they may be ready to move on from direct patient care and yet they understood all the components better than anybody in terms of how the technology supported caregiving.
Where do you tend to see the best feeder into cyber programs?
It's a really good question. I would say, I would agree with you, any person who's been a provider role, they definitely understand and see the impact from that level and how it can, all the dependencies that roll up and all the interrelationships with the operations, the technologies. But honestly, I think we shouldn't limit to just the clinicians and providers themselves, but there's other folks that could understand things like maybe somebody from the financial side could understand the financial impacts too.
To events when they happen and be able to kind of be that advocate somebody from the human resources side could You know, when they start screening and recruiting for people that they look into the human element of certain things, not just from the capabilities perspective, but you know, how they would do things like the softer skills, like the critical thinking, the conversations and communications, and being able to understand certain types of cues.
And then just, in general, the operations administrative side, just to understand, like, how operations work and whether or not server security controls, if they could be implemented well here, or how, even planning how they could be implemented within the operations, because they understand how that flows.
Like a job fair within your own hospital. Are you tired of your current role? Join the security team. Here's how we can help you. I'm always a fan also of drawing from other industries. Healthcare gets super insular. You'll see positions posted that say, must have 10 years healthcare experience. I appreciate that.
And from a cyber perspective, if you've had a robust program in finance, in manufacturing, in other engineering walks of life, wow, you bring that perspective in because all systems need to be safe. All organizations need to have those protocols. You can really glean some really interesting perspectives on, again, how to keep the bad guys out and how to educate the teams.
Our own Drexter Ford recently shared an article in the Two Minute Drill about how phishing Training doesn't really work. I mean, phishing scams actually are what tend to be the way people getting into organizations. When the education you're providing isn't necessarily sticking the way that it should, and people are not hacking into systems, they're getting in through people, how do we make sure that there's a level of awareness without it being so much that it's too much?
People ignore things if they hear it too often, there's a sweet spot. of education that's important. What have you seen, or what are some of your favorite ways for people to realize the importance of their personal human role in cyber security? Honestly, I think the problem is right now is that we are in information overload.
That's how our society is right now. It's just, you get the alert fatigues, you get the information fatigue, and then, you exercise something for so long, again, you reach a plateau. You reach, the part where it just kind of phases out and people are kind of numb to it. I think with fishing exercises, with any sort of social engineering exercise, you have to keep being creative, finding ways to appeal to them.
So then it's not just for them, another alert or another thing they have to worry about or brush off and not take seriously. So I think the more interactive with the less time you can make it, the better. And honestly, somebody brought up a really good point that I spoke to a couple of years ago saying that because TikTok kind of ruined us, right?
Because all those video clips or reels or whatever you call them, cause I don't have one, but they just say like, it's short sparse of videos. And that's now trained people to have the attention span of those. Short amount of times only and not to have anything longer. So either we have to retrain people to, be able to pay attention a little bit longer, or we find more ways to adjust, again, adapt to, how society is changing now to be able to educate people in the time span or educate people in the manner that now people are more paying attention to and understanding and how it truly applies to them.
I don't have TikTok either, but I feel like we need to go make like a 18 second cyber security awareness video clip so people can put it out on LinkedIn or whatever form you still follow. Because to your point, there's so many social platforms that I actually got rid of all of them, except for LinkedIn, because I just didn't have time to spend on these other spaces.
I found I'd rather be reading or researching, or to your point, exercising when you hit a plateau instead. To each his own, of course, but good point. Maybe it's the smaller clips of fed information that are going to be really key. What are you following as a trend in cybersecurity today? Are you very curious about one specific area?
Do you find yourself top dancing around five or six? Like, what compels you on a given day as far as capturing your interest in the cyber world? Well, a lot of it for me focuses on, like, just the long term type effects, like, impact is always a big thing. I look to always the trends following the, the FBI alerts, CISA alerts about, who the threat actors that they're being, they're following and what type of things that they're doing now and just reading about that.
Tracking all the types of, vulnerabilities that are out there, the bulletins, and for me, I'd like to take that information out and then just try to create my little mind map of whether there's any sort of linkage association or associations within these alerts and, figure out where we're going to go from there, where we're going to go from here, what could possibly happen with IoT.
As we see the upticks or changes within, the threat landscape, like what's going to happen next, because at some point, once some one thing comes out, there's only going to be a matter of time before the other shoe drops. So for me, like the planning, figuring out what's going to happen, because it's that ongoing cat and mouse game, really, what's going to happen.
And after a day of reading FBI reports and looking at all the things that might happen, I hear that you love to cook. How does this hobby influence or inspire your approach to work, if at all, and how you also use it as a way to decompress from all the things that you picked up throughout the day? Well, if by decompress you mean stress eating, then yes, that's definitely one of my things that I like to tie into with work, but yes, you're right.
I do love to cook. A lot of the things that I've learned from cooking is that you have a standard, you have a recipe, how you handle it from here is still on you, how creative you can get, what you can adjust, and that kind of ties into the creativity of like managing, for example, your cybersecurity program.
Right, so you can flavor it as you need, work with the ingredients you have, you can always make it, change it, and it'll still taste great, it'll still look great, or you can have variations of it, and flavors of it, it'll still, it's all what you make of it, essentially, and cooking has that flexibility that you can do, and I find that there's times that you can translate it over into the future.
Anything within the real world, right? Like, it's limitless in your, what you want to do with it, how far you want to take it. So I don't cook well, which works out great in this household because my husband does. I'm in charge of table settings. Beverages and dishes. So I feel like if you and I were creating a cybersecurity program, you'd be like, we need a little bit of all of this, you need all of this.
And I'd be like, and here's all the things that make it pretty. And here's how we clean up the mess at the end. So yeah, it would be a, it would be a great program. We'll make that part of our, our, our whole meal is, and we can also design cybersecurity programs for you that help you adjust to the needs of your organization.
And A couple questions for fun, for speed round, which I was about to jump into, because the serious stuff is what we think about all day long, and yet the fun stuff, too, brings an element of reality to what we're doing. And if you weren't in healthcare, what would you be doing? I would probably be opening up a restaurant or working as a chef somewhere.
Not that's not stressful on its own already, but again, like, cooking is a great stress relief. Thinking about the meals and what you can make and, trying new things. It's nice and it's refreshing to have to not think about something behind a computer screen and behind a keyboard.
And it just, it's where you can kind of let your juices flow as far as what you want to do and what you could possibly enjoy and who would like it. Because. Cooking is one of the forms of communication and expressing like a love language, right? So then it's a way for you to express yourself and how you feel about others or how you can help better by just, your food, your presentation, the ingredients, the flavor, the style, everything.
And it has a much better context. And if I said, Hey, what's your love language? You wouldn't say cyber security. It's cooking. And here's the parallels that fit into that. Okay. One more speed round question. Describe your job in three words. Or to a grammar school student who may not know what they want to be when they grow up.
I would say it's, obviously, it's exciting. There's always going to be a challenge. You're always going to be learning. You'll never get bored. You may get burnt out at times, and you'll need to take breaks, but you'll never get bored. And then the other part of it is just knowing how many lives you can impact, in a good way by doing, what you're doing right now and supporting cybersecurity and, especially in this day where we live with and rely on constantly technology.
Important. Have fun, work hard, make money, keep people safe. You're never going to get bored and you'll always have a long trajectory and the things that you are seeking. I feel like we could probably put out that 28 second video and recruit a whole bunch of people into the cyber security world. Thank you so much for spending time with us today and sharing your perspectives, your journey, and The things we need to be aware of to have a really robust cyber resilience program.
We also appreciate the relationship and partnership with First Health Advisory, which has been long term and ongoing and continues. So again, thank you for your time today. I look forward to our next conversation. Sounds good. Thank you, Sarah. Thanks for having me. Of course. For all of our listeners, thanks for listening.
That's all for now.
Thanks for listening to this week's Town Hall. A big thanks to our hosts and content creators. We really couldn't do it without them. We hope that you're going to share this podcast with a peer or a friend. It's a great chance to discuss and even establish a mentoring relationship along the way.
One way you can support the show is to subscribe and leave us a rating. That would be really appreciated.
Check them out at thisweekhealth. com slash partners. Thanks for listening. That's all for now..