This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Their expert solutions ensure compliance and boost operational efficiency. Visit ThisWeekHealth. com slash First Health Advisory today and elevate your cyber strategy with First Health Advisory.

Today on Unhack the News.

We should not be afraid to communicate with each other.

Build those bridges in the good times. So when the bad times happen, I, as a nurse will come to you and escalate my concerns.

. And now, this episode of Unhack the News.

Hey everyone, it's Drex and this is Unhack the News. Brad and I have been having a good conversation actually before we actually clicked record and so it's always fun to hang out with you. It's Brad Marsh from First Health Advisory.

How you doing, Brad?

Doing well, Drex. Glad to be here.

You know this first time on the show, right?

I think it's on this one. Yeah.

Yeah. First time on Unhack the News. Tell folks a little bit about yourself and what First Health Advisory does, what you're working on right now.

Thanks. So Brad Marsh.

What's unique is I'm a nurse with that cyber security perspective, so I make it my mission every day drex to engage with our clinicians to part the cyber security capabilities that need to be there for our own safety to continue to take care of patients. But then also I relate the clinical perspectives.

back to our cyber security professionals. So really it's that Rosetta stone between these two significantly different bodies.

We were talking earlier I'm a retired Air Force officer, you're a retired Army officer we talked a little bit about the places that we have been deployed and how I'm barely sure we chewed some of the same dirt at one time or another but this overlap of the work that you did clinically and the work that you do is cyber security.

one of the things that we like to say with my company is cyber security is patient safety. As a clinician, we have the five rights of medication and the right medication, the right patient, right time, right reason, right route, those kinds of things apply in the cybersecurity perspective as well.

If I don't have the right data about the right patient at the right time for the right reason in front of the right practitioner, I could harm my patient. And so really where we bring that fusion together between cybersecurity and patient care.

Yeah, love it. Let's hit on a couple of news stories here.

It just hasn't happened to us yet. Right? The ransomware gang encrypted network going through a webcam. And bypassing EDR because an endpoint detection and response client couldn't be placed on that camera. You guys ever see anything like this or?

What's interesting is there's not a lot of people that understand what we're using the same chip sets across multiple industries, across multiple infrastructures. When we see this kind of thing, it should not surprise us now according to bleeping computer, as they got access in again. Something on an IOT.

Absolutely. It's one of the challenges that generally we have our medical devices across the board and how we can secure them.

And that is when I use the term environment of care. That's what I'm talking about. It's the patient in the bed. By the way, the bed is pulling an I. P. Address. Mhm. The IV pump.

When I was with 1st Brigade 25th Infantry years ago in the Army in Mosul, one of the things that then Colonel Brown, now General Brown, retired said was we need to see first. Understand first and act decisively. That has always hung with me a key thing that we can do. If I bring you something that will increase fear, uncertainty and doubt, I want to bring with me a capability that says, Hey, not all is lost.

No. What is your network? That is the see first. You need to see everything, whether somebody is touching the keyboard or whether it's living on his own. In a happy little subnet, you need to make sure you know what's there. Understand first, understand where it's going, understand what it's connecting to.

Because you need to understand what normal looks

like, right? And you have to know from day one. And then as soon as you deviate from normal, that's where you act decisively. You have to engage, but as an I. T. I. S. People, you can't just engage without pulling in your functional people. You need to bring in clinicians.

The devices we're using are literally keeping people alive, have to be able to act decisively. With your clinical input. That's why I'm a nurse with cyber security background. We have to know which clinician to bring in at what time to see first, understand first and act decisively.

Going to mess up operations really going to hurt a patient

When you look back at in your experience and I know you're I have followed you for years. So I have I've paid attention to that I think one of the things that I would absolutely put in there is Most executive leaders don't know how an I.

Boom being the cyber event left of boom is before it. We need to be engaging. Most clinicians I have found are resistant to meeting with the ITIS departments. They don't feel comfortable doing that. And I think that's really one of the things that I really want to keep pushing forward is. We should not be afraid to communicate with each other.

Build those bridges in the good times. So when the bad times happen, I, as a nurse will come to you and escalate my concerns.

Because I already have a relationship. Yeah. Perfect. We could talk about this all day, but I'm going to move to the next story. It's from Dark Reading and it says cybersecurity's future is all about governance, not more tools.

Absolutely. I think one of the biggest things that I am concerned about and it's interesting because we do services, we do sales.

Sure. We sell different softwares. We were asked to sell this. Organization a new software. We actually said, Hold up. Let's operationalize what you've got first. I will tell you it was a less expensive thing because while we could have sold something, it wasn't important to do that. What was important is we have to get this right.

And then what's really more important is getting the governance behind it. Just buying software, just buying tools. It's the old check the block. And that's exactly as the article went into it. It talked about checking the block we need as clinicians, as cyber security professionals, as cyber security clinicians.

But what's important is we have a lot of the tools. This is where as a team, we need to come together and identify what it is. Not saying to be a blocker, but the governance as we saw with NIST CSF, including governance.

Now it needs to be part of our normal thought process. Thanks. The CFO needs to be able to see if there is a benefit for the finance side from security devices. There's stuff there. We can reduce risk outside of normal cybersecurity with some of these devices. And it takes people to look at this in an asymmetrical methodology.

right?

That's really where you need to rely on your SMEs, your subject matter experts, pull them in and say, okay, doing Apollo 13 hackathon, Hey, we got to get this square filter into this round hole, figure it out.

You've got three hours. We might need to have to do that. What inventory do we have of our capabilities? What tools do we have? What is our unmet needs? And how can we rationalize with what we've got first? You rationalize, operationalize, and then you modernize. But it has to be deliberate. And it has to be involved in governance.

We have to make sure everybody is on board. Because if we operate in a silo, we end up breaking the business. And that's the problem. Because then we can't deliver care, which is what we're here for.

Just touch on this really quickly. Talk about risk because I think there's a lot of organizations who still really struggle with. Understanding the risk that they really have in their organizations

when you look at risk go back to the CT scanner analogy. So I'm an emergency nurse, certified emergency nurse. And, I was at a stroke center where it has a specific slice parameters that have to be met. We had two CTs. One that was the hyper specific and one that was less everybody evaluated them as the same. If the specific one went down, we had to go on divert because we could not get to the specificity needed to be able to make that diagnosis. If it was not understood, it was understood on the clinical side all night and day. The CMO knew this. They understood what certifications they had and what they needed to maintain it.

I've been really focusing my CEO and I sit down regularly and we talk about this. I have been concerned with downtimes. Downtimes happen regardless if it was a cyber incident or maybe a dump truck took out the fiber. Right. A variety of things that can happen. Because you cut the internet, you've got a DDoS attack, whether it's in per Right.

Denial of service. So when you're talking about those things, when you're talking about the all hazards approach, you need to look at the cost overall. Yes, everybody is worried about your name getting associated with a cyber breach, your name being associated with potential patient harm. That is an impact.

How many of these organizations have looked at their denial rates? It's probably as important because they're trying to pay either possible ransom, possible mitigation for ransom. They're not thinking about the other costs here. Really, that's what I have been focusing on is our ability to deliver on that.

So I, I actually brought in coders and I've got a forensic coder, which is really cool to look at why. What is this? So what if it how is this impacting that environment of care? It's the full spectrum from the time a patient walks into the time that it's paid. All of that is impacting. And it goes back to what you were asking, which is risk.

Yeah.

Both of those involves an air catastrophe. One of those had everybody walk off that plane.

Yeah. Yeah.

These are the things we need to consider. We need to be a resilient organization. All of us, my company, hospitals, your company, we need to be resilient. Because the threats are emerging. saw additional articles coming out about Basta and how their messages all got leaked. You have a great, and I want to make sure that you go into your analogy because when you said it, I was like, Ooh, I like that.

sure they're also trying to be resilient, right? And so the last story is around these black Basta messages chat messages that got leaked.

But, they're thinking the same thing. They're trying to share a lot of information, try to understand how to be as good as they can be, how to code as high as they can code, right? To make sure that they get paid. For as good as they actually look, they are businesses and they're also talking to each other about different products and different companies and things that they're finding as they attack cloud services and all of that, they're in high speed relationship building and communication too.

It's not just us. The bad guys are doing the same kind of work we're doing to make sure that they can make as much money and and do as much damage in many cases as they can.

Yeah, and it's the not everybody can have the expertise in-house So they've got to go out and get it. They've got to be able to share that.

That's what they want to do. Guess what? That's what we want to do too. Because patient safety is cybersecurity and cybersecurity is patient safety. And so we need to keep tying that back around saying, yes. So when we have to go to a downtime, does everybody know it?

And so as a nurse, we talked about this earlier as well as a nurse, I had to be able to talk to patients and meet them where they were at. I can't go to my patient who is extremely obese and say, I need you to go run a marathon.

You're not, yeah,

that's not realistic. What I was able to do is saying, what do you do now?

Okay. What if we did this one thing? What if we did this one simple improvement? Every time. One more thing. Just keep building upon it. When we talk cyber hygiene we expect sterility. We expect them to be totally clean. But when was the last time we asked them?

When we started the gel in gel out capability. In the hospitals. Did I tell people they had to take a shower before coming into work? No, there was a foundational level of cleanliness. All I did was add one more thing on. But in cyber security, I am expecting with no foundation them to be on the third floor.

Not realistic. So let's get back to some basics,

right?

Let's start talking about, hey, what's in it for me? What's in it for you? How do you take care of your family self? The things that matter to you. If I can help you understand that when I say, Hey, now in the hospital, I'm gonna need this one more thing, it's less of a step up, right?

And we start to build on it. That's why the CPGs are out there.

Yeah.

know a good start. Yeah,

And working with Josh Corman and the rest of the HCIC team, that was one of the things we were working on is trying to make sure that there was a foundational knowledge because the workforce it we're losing people. We don't have the people we need to do what we need to do. So in order to get there.

We need to start with a foundation.

Yeah I feel like I say this a lot of times to my guests. We get into it and we could record for two hours but out of time. I really appreciate you being here today. Brad Marsh from First Health Advisory. It's really great to see you.

I hope this isn't the last time we do this.

I look forward to the next time, Drex.

Sign up at thisweekhealth. com slash news. I'm your host, Drex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.

As always, stay a little paranoid, and I'll see you around campus.