This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Introduction

Hi, I'm Drex DeFord, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and RISC, and the people in process and technology making healthcare more secure.

And now this episode of Unhack the Podcast.

Hey everyone. I'm Drex and . This is UnHack the Podcast today I'm really happy to have on the program, my good friend, Heather Costa. Hey, Heather. Welcome to the show.

Hi Drex. I'm glad to be here with you. for having me.

Yeah, for sure. so by the time this airs, it'll probably be after HIMSS.

So I'll ask you the general quite well. We'll just start with how'd you do at VIVE? Are you recovering from VIVE?

We'll just keep plugging one thing in front of the other.

How's that? We were able to hang out a little bit at VIVE. You came to the meetup and then we ran around and hit a few joints after that and saw a bunch of people. Always a good time. What is your best tip to survive conferences? Given that we have a lot of them and you come and speak at a lot of those conferences and do presentations.

What's your best tip for conference goers?

So I think you just have to take it as it comes. It's easy to get overwhelmed with all of the things that are happening

and.

I'm not going to be out and about and hitting every single spot until the crack of dawn. So I think recovery for me is a little bit different than it might be for some others. No, no shame. Everyone has their own way of doing things. I'm pretty quiet. I did. I did not. So I'm pretty quiet and, I go and interact and then I need to retreat on my own.

So I think it's just a matter of doing what you know, you need to do for your own. mental health and sleep patterns.

Is this an introvert thing? I work really hard not to be an introvert, but I think I am. And once I do a bunch of these things, I usually need to like, nobody talked to me for a while.

Sometimes it is I have to go back to my room and just be like, I don't want to hear from anyone for 10 hours.

Yeah. Yeah. I think it is. Well, and I think that's the definition, right? So often. We think about introversion being about being shy or not being able to speak to people or in public and that really isn't it.

Vibrate your way out of the room and back to your hotel. There's a really logical place for me to start with you. You're at Mayo Clinic. You have an amazing blows me away background. But let's start with your Incredibly original job title. And tell me about that and where that came from and talk a little bit about the work that you do now and how you evolve that work from your background.

Disaster recovery has historically been About physical disruption. It's been an all or nothing approach to being able to bail over if a meteor hits the data center, for example, and we know that the threat landscape isn't that yes, there are physical disruptions that happen. The problem is that more traditional approach to disaster recovery doesn't serve us in the new threat landscape where we're dealing with cyber incidents and cyber attacks and things that require us to.

And my title changed with that to director of technology resilience and the idea is that it's scalable one. So it's no longer this all or nothing approach. We really looking at how we can one too many benefits in the work that we're doing that it can serve us for small scale disruption for things that might be physical disruption or things that might simply be typical technology.

There was an upgrade and the server isn't handling it the right way. Sometimes that happens unplanned downtime as well as the really bad day that we don't like to think about, but we have to,

If there's a cyber incident, we have to be able to recover from that. And so that's largely been a huge focus on our team and thinking about cyber resilience specifically.

Yes, we are Mayo. We still have limited resources. Every organization does.

We have monumental tasks ahead of us. And you said it in the opening that cybersecurity is patient safety. That's absolutely true. So the job that we do matters and it saves lives. And that's how seriously we take the role. That's how important the work is. And we really are looking at making sure that the things we do to the left of boom mitigate the impacts to the right of boom, no matter what the boom is.

I can't always predict the thing that's going to go wrong. I can, though, with fair certainty say what the impacts of those things are going to be. So if I focus on mitigating the impacts. And the patients, our organization, our caregivers will be better served.

To be involved in this and a lot of them are like they use systems. They do great work. They take care of patients or business operations or research, but they know their work, but they don't really know the computer systems. And so sometimes when you're asking them things about.

Business continuity to resist recovery or resilience. They just have a hard time like figuring out how to speak the language. How do you get them involved and how do you keep them involved all this work?

So I think the key is to meet people where they are. We don't talk about our work.

We talk about their work. I want to understand what they do. I want to understand what they need in order to be successful. And I don't want to only understand it in terms of the technology, but we need to understand it globally. When we think about people. Process and technology, because that's the sort of layer of importance around that.

Is that we're not talking about the work that we're doing. We're talking about the work that they're doing, identifying at a core, what the problem statement is. I don't need them to solve it. I just need to understand what they do and what they need in order to do it. And then from there, we can discern what.

A reasonable set of solutions or options for solution. When someone comes to you and says, I need you to implement this thing because this is going to solve my problem, but you don't understand the actual problem, you will spin around finding a solution for the solution.

And they don't understand necessarily and nor should they have to understand how all of those things are integrated or what it looks like under the hood or behind the wall. I often talk about what's in front of the wall versus what's behind the wall. When you're at home and you have a lamp that's sitting there you turn the lamp on you expect it to light.

And that's the end user experience they push a button they expect a result to happen.

Yeah,

it's my job to make sure that everything behind the wall. Is aligned in a way that's going to let them do that allows them to push that button or turn that lamp on and get the result that they're looking for.

Yeah, I think so. And we don't always find it because at the end of the day, it's their work. They're going to know better than I do what the work is and what they need in order to accomplish. I think we find a couple of things. One of the things I love about doing this work is that if we're doing it the right way, it gives us a lens that really don't get in any other part of the organization because you start to see how all of the pieces fit together.

You asked about, my background prior to Mayo. I was at the Cleveland Clinic and I built the, really the first of its kind integrated resiliency program for the Cleveland Clinic with an amazing team of just some of the smartest people I know. I get to work still. My team at Mayo is just this amazing team of some of the smartest.

It leads to a few things. One, again, we get that sort of 10, 000 foot view of the entire organization.

You won't find other areas and other departments that have that.

Everything's connected to everything else and you get to

see that whole

flow.

Yeah. So that, that is just fascinating for me and it, light bulbs.

I, it's one of the reasons why I'm so passionate about this work. I love it. And it's exciting to me to be able to see that. But the other thing that happens, I think, is that in those conversations, people will have aha moments. So it may not be that. We've identified something that is a process improvement, but through that conversation, something will come up and it'll spark something else.

That's not helpful. Everybody believes that. Their applications are the most important to them, right? And they're not wrong, they're not wrong, but we really have to look at it in terms of organizationally what we're trying to accomplish our mission, which is the needs of the patient come first.

What does this look like for patient care and safety first and foremost, and then how do we align it one of our physician leaders called it oxygen decisions. And it really is that. So being able to make those decisions with that lens of how everything connects to everything else changes how you do the work.

It changes how you approach the work and it will change our outcomes for the better for our patients.

I think you and I maybe at some point had an offline another sort of conversation about this, but the resiliency planning to it's not like there's a plan and then the plan is executed right?

Yeah. So, and I think that's the departure from disaster recovery to more of that resilience conversation, particularly in cyber situations, because the recovery takes so much longer than just a restoration from backup.

On average, you can expect. A five X, right? So if it takes an hour to restore this application or a day to restore this application from backup, but just like a typical disaster recovery process times five is what you can expect that same application when you think about cyber recovery. And, Like a bare metal rebuild.

I need to know that the order in which I'm recovering them matters to the patient, matters to operations, clinical operations, business operations, et cetera. So you have to really map that very closely and you have to be able to granularly say, This is one, this is two, this is three, instead of these big buckets of these are tier one, these are tier two.

And

when you do that, what happens is you create that minimum viable. So you've tied it to the process and you've said, okay, these are the most critical processes for patient care and these processes sit inside of the emergency department, inside of the ICU. Whatever those areas are. So here's the most critical areas again, patient care and safety.

But at minimum, this is what keeps people alive. Now I know that in that tier one, this is the first, second, and third that I have to recover. And in doing that, I've made the emergency department, the ICU, surgery, and anesthesia at least minimally viable that people are going to survive. And we're not going to have that kind of catastrophic impact to patients.

That's really the heart of doing it. The magic is in the execution.

It's not an easy thing to get to, but the magic organizations

And we're working on it. It's a work in progress. Sure. There's no easy path to it. It's not an easy thing for anyone.

And there are new systems all the time, right? There's new systems and changed. Yep. Infrastructure upgrades, all that kind of stuff is happening. So here's another

heatherism.

It's a program, not a project. We'll never put a pin in it and call it done. So we have to be on that path of continuous improvement. My analogy is always getting the nickels. It works if you're a football fan or not, two nickels will get your first down or nickels will get your quarters and quarters will get your dollars, right?

Yeah. Now you're speaking my language. Hey, couple of other things here. Random. Tied to this work though. What's your favorite metric? What metric do you like to look at often to see? Are you on the continuous performance? Are you collecting nickels that you think you're collecting?

So we have part of the strategy that we built out here are these building blocks of resilience.

So I've got, six or seven big bucket things. Recovery metrics. Time to recover, not just the objectives of what the business is saying they're needing, but how well are we doing in meeting those? What is the actual look like compared to the objective training and awareness and exercising.

They find the tool and then they try to build the process around the tool which is something we just simply won't do. It's not effective in my estimation. So governance roles and responsibilities recovery. Data resilience and education awareness. I think that's it. I think those are the five.

I haven't written down, so I don't have to remember. And we look at metrics in two different ways. So we look at the binary. Is it there or is it not? Planning is the other one. Is it there or is it not? Do we have plans or not? Yes or no? And then the maturity happens with what's the quality of those plans.

Oh.

It really is these different building block blocks that create resilience. And looking at the metrics in more than one way. When we think about recovery testing, it cannot be simply did we recover it or not? Or did we recover it within the time frame or not? We have to go further than that and look at what we recovered in this test.

What does that look like in the next test? Did we improve some areas? Maybe we haven't gotten it again. Perfect. Just yet. But did we shorten the recovery time actuals? Maybe we were an hour off and now we're half an hour off. That needs to be a marker of improvement.

Okay, so you're regularly measuring yourself against yourself.

Yeah, that is the epitome of the idea there that you can have an incident, but to your end users, it feels like nothing actually happened. There may have been a lot of stuff going on in the background, but to them, it feels like nothing ever happened to patients. They never get delayed or rescheduled or whatever.

Then, you're really hitting it.

That's our ultimate metric.

Yeah. We've only got a couple of minutes left. We'll do a couple of lightning round questions. These are things that just let people get to know you a little bit better.

Are

you ready?

I'm ready.

I know it's nerve wracking.

What's a really unusual thing that you have or a thing that you love and this might be a habit or a tip or a trick. Well, what's one of your super favorite things?

Fun fact. I like limited edition Oreos and soda.

Okay, you got to tell me more about that.

love that.

It's so good. You do the same

thing with sodas. Like strawberries and cream Dr. Pepper. Or it's limited edition. Did you know there's a mango Pepsi?

No, I did not know. You see

the more, and I'm not even a big soda drinker or I don't even really eat a lot of the Oreos. Mostly I get them.

I try it. And then the kids

pass them on to somebody else. Yeah.

Yeah. The kids will finish them, but it's just, it's a thing.

Do you think you get these opportunities because you're in the Midwest and that's one of those marketing places where they try like. All their crazy new ideas.

It's like you should be living there. That's why.

Well, maybe so. But, Amazon. You could just buy them

on Amazon. Oh, that's true. That's totally true.

We are so interconnected now. Anybody can get them. Anyone can partake in limited edition Oreos and soda.

And you're just like, that's terrible advice.

You have to start at the help desk.

That's terrible advice. Why is that?

Because the work that we do is so diverse. There's just such diversity in the work. When you say cyber security, so often people pick something in their minds.

Yes.

That it's only one thing.

There are transferable skills, critical thinking skills problem solving skills. Logistics, particularly in this work that we're doing. Those are things that we're all thinking about. And those skills can be acquired in the military. They can be acquired in parenting.

They can be acquired in a lot of different places and different ways. And I think that cyber security in general, health care, cyber security is made better. By that diversity of thought and experience and that's what will make us successful and experts in this.

It's so funny. I love that. That's a great pitch to folks to some of the best project managers and cybersecurity people I've ever known at some point were bartenders because there's a lot of juggling lots of different things and knowing a lot of different formulas for stuff and being able to handle different issues and challenges so I've seen that.

I'm not sure if there's any, I changed my mind a lot because of new information. I don't know that I can name one simple thing. It's often an evolution, right? I think, and I don't think there's just like a snap change in thinking. I think most of it is an evolution where here's where I am and I've thought about this thing and now I need to think through, Oh, I've got new information.

I was sort of like, I don't think I want to go down that road. I think we should stay away from it. I use it regularly now for a lot of things. And I think just like any emerging technology, A place where it's beneficial and helpful. But again, it has to be layered on the right leadership and the right process.

And, in an ethical way that ensures that we're not creating risks and problems unnecessarily.

Hey, thanks for being on the show today. I really appreciate it. I have another hundred questions. I hope you'll come back at some point down the road. I know I'm going to see it a summit somewhere down the road to, but yeah, I you and I have had conversations before and the more I talk to you, the more things I think, that I probably have never thought about.

I'm really glad you're on the show today.

That's a wrap for this episode of Unhack the Podcast. Do me a favor and share this episode with your peers. And by the way, your feedback matters, so please subscribe and rate and leave a review wherever you listen to podcasts. I'm your host, Drex DeFord. Thanks for spending some time with me today. And that's it for Unhack the Podcast. As always, stay a little paranoid. I'll see you around campus. ​