October 18, 2024: In this special Cybersecurity Awareness Month episode of UnHack (the Podcast), Drex DeFord speaks with Lisa Bisterfeldt from St. Luke’s Health System about her journey from public health to leading cyber resiliency efforts. They highlight the Health Sector Coordinating Council’s Cybersecurity Working Group (CWG) and its free, scalable resources to help healthcare organizations respond to and recover from cyber incidents.
Key Points:
Completely free and incredibly useful stuff that's produced by the Health Sector Coordinating Council's Cybersecurity Working Group:
Donate: Alex’s Lemonade Stand: Foundation for Childhood Cancer
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
UnHack (the Podcast): Must-Have Free Cybersecurity Tools for Healthcare – Respond and Recover Faster
Introduction and Sponsor Message
Drex DeFord: Thanks as always to our partner Fortified Health Security. No matter where you're at in your cybersecurity journey, Fortified can help you improve your cybersecurity posture through their 24 7 threat defense services or advisory services delivered through Central Command, a first of its kind platform that simplifies cybersecurity management and provides the visibility you need to mature your program.
Learn more at fortifiedhealthsecurity. com
Meet Your Host: Drex DeFord
Hi, I'm Drex DeFord, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and RISC, and the people in process and technology making healthcare more secure.
And now this episode of Unhack the Podcast.
Drex DeFord: Hey, everyone. Welcome to Unhack the Podcast. I'm your host, Drex DeFord.
Health Sector Coordinating Council Overview
Drex DeFord: And today we're going to talk more about the completely free and incredibly useful stuff that's produced by the Health Sector Coordinating Council's Cybersecurity Working Group. As I've said before, it's from the government.
There's a lot of acronyms. We'll shorten that today to CWG for reference. So the Health Sector Coordinating Council Cybersecurity Working Group, or CWG, is composed of 400 plus industry and government organizations that work together to develop strategies to address cybersecurity challenges and the health sector.
And one of the many things CWG does is through a task group process, they develop these free resources focused on sound cybersecurity practices for a range of healthcare cybersecurity disciplines. And today we're going to talk about a set of those resources And this set is focused on responding and recovering from incidents.
And I'm lucky enough to have a guest today who knows way more about this than I do.
Guest Introduction: Lisa's Journey in Cybersecurity
Drex DeFord: Hi, Lisa. Thanks for being on the show.
Lisa Bisterfeldt: Hey, Drex. Thanks so much for having me.
Drex DeFord: Of course. We're going to talk about some of the work that you've done helping to create some of these really great free resources, but first introduce yourself and tell me about your role at St.
Luke's. And you have a really interesting job and a really, and reporting structure and a path into that job. So tell me a little bit about yourself and give me some of the backstory.
Lisa Bisterfeldt: Yeah, I'd be happy to. So I've, I work for St. Luke's Health System. I manage their cyber resiliency program and report directly to our CISO, but really how I got into cyber is, a mystery.
My background really is in public health and I thought I was going to do health promotion and right out of my master's program I took a job at the public health district doing emergency management and public health preparedness. From there, I just really fell in love with healthcare delivery and our hospital systems.
So I transitioned to be the emergency manager for the St. Luke's Health System out of Boise, Idaho. I was in that role for about five years. And at that point, we really saw cyber security picking up in the healthcare sector and these attacks becoming not only more frequent, but also a lot more impactful.
At that point, St. Luke's developed a new program That was called cyber resiliency. And so I fell into my new role within St. Luke's. I've been in that role for about four years, and it's been so rewarding to take my background in public health and my passion for not only the health of our community, but the health of our patients and be able to take the skill set I learned in emergency management and apply it in this new, exciting, Fast paced cyber security environment, constantly learning all these new things whether it's our current threat landscape or different vulnerabilities, but then being able to apply that.
apply that, excuse me, to how impactful it could be on our operations has been really helpful and really something that has been a fun and exciting kind of twist and turn in my career.
Drex DeFord: I love that. So you've got like the peanut butter and my chocolate career. And it's cool when it just all works out and you can figure it out.
The big thing about that I think that is unique and special and to me really interesting that you bring to the table is the public health angle on this because there's more and more, we'll get to this, we'll get to this stuff that we do for CWG, but, The really interesting angle of when there's a cyber incident with a health system in a community, it really affects way more than just that health system.
That whole community can be turned upside down, right?
Lisa Bisterfeldt: Absolutely. And I think it's a lot of times we hear of these big health systems, but in reality, all of healthcare is so vulnerable. So whether That's a public health department, a single provider office, all the way up to the large scale health system.
And so like you talked about, we'll talk about it a little bit later, but the Sector Coordinating Council really looks to ensure that we're providing support for that entire realm of healthcare, knowing that healthcare as a whole is really vulnerable these days to cybersecurity activity.
Drex DeFord: Yeah.
And yeah now let's bridge into that. At some point, you became involved in the CWG, the Health Sector Coordinating Council Cyber Working Group. How'd that happen?
Lisa Bisterfeldt: I had just come into my new role and was looking at ways to learn more about this new cyber world. And they were just kicking off a brand new work group that was incident response business continuity.
And it seemed like a really good fit. And I felt really fortunate because I came in right at the right time. So this was about four years ago. And. So far, it's just been such a treasure to get to be part of this amazing work group with not only great stakeholders but also just really great resources that we've been able to develop.
So on a whim, but perfect timing to be able to jump into a brand new work group that really fit with what I'm doing.
Drex DeFord: Yeah. Timing is Timing is everything. I will say that over and over again. So you're really like one of the, you're really early into CWG. I'm like maybe a year and a half in as a member, but you've you were there and you had things produced before I ever showed up.
You're the leader or you're one of the leaders. I'm not sure exactly how to say this because I know it's all a, it's all a team effort on the Coordinated Healthcare Incident Response Plan with the acronym CHIRP and the Operational Continuity Cyber Incident document, the OCCI document. And then there's an executive checklist coming soon.
You and a lot of folks put a lot of time and effort, volunteer effort into this work. Why did HSEC, CWG feel like this was such an important topic for them to produce material on?
Lisa Bisterfeldt: The reality is, like I've said, we're all vulnerable, but the skill set and the amount of time and effort that each healthcare entity has to give to cybersecurity preparedness and awareness is different.
However, I feel like it's IoT is something simple that we can provide from a council perspective. We really were discussing as a work group what could a product be or how could we ensure that the time and effort that we're providing here is as productive as possible for our members as a whole?
We identified that. That simple, easy to use, out of the box products would be so valuable, not only for maybe a large health system that was impacted, but maybe that critical access hospital that has two IT people as a whole. Healthcare is ever changing and moving quickly, so how can we make, create tools that are not only educational, but could be operational relatively quickly, or like I said, out of the box.
to be able to help them be more resilient in the time of a cybersecurity incident. It's
Drex DeFord: scalable across that whole range of health systems, right? It's a health care, hospitals, health systems. Let's talk about the documents. If you can walk me through and just hit me with some of the highlights.
Do you want to start with CHIRP or you want to start with OCCI as one, a logical predecessor to the other?
Lisa Bisterfeldt: ~We started with OCCI, some people call it OCCI, some people call it OCCI, but really that was helping to, the purpose of that document is really to help bridge IT and emergency management and cyber security.
I think, as I'm sure you probably know Drex a lot of times we work in our separate silos. We're all working on things. But we're really fortunate in the group to have some members that have been through a cybersecurity incident. So we leveraged a lot of their best practices.
Collaborative Cybersecurity: Bridging Gaps in Communication
Lisa Bisterfeldt: And one of them was how do we get everyone at the same table so that we're working towards the same objectives, we have the same understanding.
And so the uniqueness with OCCI is we partner really closely in leveraging my emergency management background, as well as some of the emergency managers we have as well. Part of the council to develop a product that mirrors the hospital incident command system. So this document is really built, more for the hospital side of it and really built in a way that can be easily operationalized given
processes that, unfortunately, due to COVID they got really used to using Incident Command. So we took those same fundamentals, but applied them in a checklist format that could be initiated in the first four hours of a cybersecurity event.
Drex DeFord: I'd like the thing that you've done here is that you've decided to build this in a way where you're speaking the language, not of the security team or not of the IT team, but you've built a checklist that speaks the language of the people who do it.
do this work all the time. Yeah, it's critical,
Lisa Bisterfeldt: right? I think we take for granted sometimes. And just the same healthcare can turn it on us and IT, and sometimes we don't understand what they're saying. So that communication piece is so important.
OCCI: A Practical Tool for Hospital Incident Command
Lisa Bisterfeldt: Another big part of OCCI is having a seat at the table for your cyber or your IT individuals, and making sure that they can be collaborative in some of that, The document we developed is great out the box, so heaven forbid something's going on, you can pull it up, but obviously best put together prior to and tailored to your needs would be the best there, but really a great tool for any part of healthcare and aligns with some of those key initiatives they're used to using already.
Drex DeFord: Yeah, I like that it's it really is an out of the box thing. If you've never done it before, it gives you a great jumpstart. You can sit down, you can literally fill out names and create the document that you want to use, hopefully for the tabletop exercises and the other things that you do.
As you prepare for, and never happens the cybersecurity event. But sometimes it does happen, right?
Lisa Bisterfeldt: about CHIRP,
Drex DeFord: maybe, sorry.
Lisa Bisterfeldt: No, you're good. CHIRP is, flipping, a little bit.
CHIRP: Enhancing Incident Response Planning
Lisa Bisterfeldt: So while OCCI was really developed to help our hospital teams and partner through emergency management, CHIRP is a high level template focused on incident response planning.
As we're aware. depending on the size and scope of your facility, you might have a robust cybersecurity team. And so this tool really was meant to be more focused to IT and cyber, but be able to identify some of those things you might not have considered. Some of those retainers you might not have, or those partnerships you might want to think about, or if something happens who you should be reaching out to from a more technical perspective early on within your incident.
Again, great template, but this one for sure is, helpful to vocalize with your IT and cybersecurity teams prior to and be able to start doing some of that work. But again, a really great template and a really great opportunity, even for a mental checklist of what are those things that we need to think about or what are those things that we might need to have in place.
It acts like an amazing foundation to start building a really solid cybersecurity incident response and recovery plan.
Drex DeFord: Even things like, as I went through it again, the reminder of who has the authority to say that we can disconnect from the internet? Something go on or, and there's a place for that.
These are all things that I think we think about sometimes when we talk about it or we go through exercise, you actually have it written down in the plan. It's these are all these, it's not an exhaustive list necessarily. Cause that's almost impossible. You all really did a great job of putting together a lot of those.
It's almost like a workflow template. All the stakeholders who has decision authority, all that kind of stuff is, there for them to use to build the plan that is theirs.
Lisa Bisterfeldt: Thanks Drax. That means a lot. I think our group is. really thoughtful in what we put together. We know everyone's really busy.
And so you have to walk that fine balance of making sure that it's long enough to have the information you need, but also be formatted in a way that's operational moment in time. So I'm really glad that was the takeaway you had.
Drex DeFord: I love it. What, haven't I asked you about this that I probably should have asked as we roll down toward the end of the program?
Lisa Bisterfeldt: That's a really good question. I think one of the things that we don't share enough from our work group is while we develop products, I will say that one of the really great things that I've gotten from being part of the work group is the ability to network, the ability to build partnerships to be able to have colleagues that you can leverage best practices from all across the country.
So while the products are fantastic, would really recommend getting involved, whether it's I think we're getting ready to push out a new strategic plan with a new set of work groups. So really recommend individuals that might not have too much time to commit, but need to have a really solid network looking into the Health Sector Coordinating Council and the Cybersecurity Working Group, really to see the opportunity to dovetail in.
I'm pretty engaged as a chair of one of those work groups, but there's all different levels of participation and engagement that can match the time commitment that you're able to give. That might be something that we haven't talked about, not just only the tools that you can get from the Cyber Working Group, but also just this amazing opportunity to meet others and learn from others across
Drex DeFord: the country.
I 100 percent agree. I think the opportunity to be able to meet other people and learn from other people and have them in your, Speed dial when something goes perfectly well or, and right, or, Hey, here's an idea that I have. You have other people you can reach out to and bounce those ideas off of, or if you have a problem, obviously, folks you can reach out to.
Executive Checklist: Empowering Healthcare Leaders
Drex DeFord: There's one other thing I wanted to ask you about now that I think about it, the executive checklist, which is coming soon, what's that going to look like?
Lisa Bisterfeldt: Yeah, this is an exciting new product that we're putting out soon. The Executive Checklist, again, looking at a different audience this time.
While a lot of our products have been healthcare wide, this one really is scoped more towards the hospital audience, and really towards our executive response or executive team at those different hospitals. Really the core of the document is about helping healthcare executives to understand their role in an incident response.
It really prioritizes cybersecurity threats that can cause significant disruptions. And it really goes all the way from thinking about blood donations that could be destroyed due to an incident, to surgeries that might need to be postponed, was really the Kind of the foundational element there from an executive level.
What are those things that you need to think about in order to continue your operations? It's written more, in an executive summary type fashion. focus areas on incident response and business continuity, additional communications. So just different high level pieces that are not only important in a cybersecurity event, but also written at that level.
level for executive decision making and an awareness as well.
Drex DeFord: Got it. And all this available completely free. You can get it on the Health Sector Council. It's healthsectorcouncil. org website. There's a library. Tons of stuff up there, and in particular, when we run this show, we'll make sure we put the link in the show that specifically connects to the stuff you've been working on.
Hey, thanks for being part of the show today.
Lisa Bisterfeldt: Yeah, thanks for having me. It was so great to see you again.
Drex DeFord: Good to see you too.
That's a wrap for this episode of Unhack the Podcast. Do me a favor and share this episode with your peers. And by the way, your feedback matters, so please subscribe and rate and leave a review wherever you listen to podcasts. I'm your host, Drex DeFord. Thanks for spending some time with me today. And that's it for Unhack the Podcast. As always, stay a little paranoid. I'll see you around campus.