UnHack (the Podcast): Regulation Realities - Navigating New Norms in Cybersecurity
July 22, 2024: In this episode of Unhack the Podcast, Drex DeFord brings together top healthcare CISOs to discuss the evolving landscape of cybersecurity regulations and how healthcare organizations prepare to meet these new requirements. Featuring insights from Jason Elrod, Jigar K., Greg Garneau, and Aaron Weismann, the discussion covers challenges such as impending regulations, government mandates, and the importance of standardizing cyber performance goals. Special guest Sarah Richardson joins the conversation to provide additional perspectives on regulatory impacts and strategies for maintaining robust cybersecurity practices in healthcare.
Key Chapters:
Remember, Stay a little paranoid.
Donate: Alexβs Lemonade Stand: Foundation for Childhood Cancer
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
β π Thanks to our show sponsor, Ordr, the Connected Asset Visibility and Security Company. If you want to see every asset and protect against threats, Ordr is a great way to find and eliminate blind spots. They also integrate with more than 180 other security, network, infrastructure, and clinical solutions.
Find out more at Ordr. net slash healthcare. That's O R D R Ordr. net slash healthcare
β π π
β
Introduction
Hi, I'm Drex DeFord, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and Risk, and the people in process and technology making healthcare more secure.
, and now this episode of Unhack the Podcast. π
β
ABlock
β
Welcome to Unhack the Podcast. I'm Drex DeFord. One of the best things about my job is the amount of interaction I get to have with some incredibly smart CISOs security leaders and vendor partners and their teams. I love to learn, so one of my favorite things is That the community is so open and so willing to sit down and talk about really hard problems when we're together and how they're facing them and how they think about them and how that gives me the opportunity to shine a light on a few folks who are doing the really, hard work of figuring out where we're going in the future.
And right now that sounds like that's tough to do. The bad guys are growing and innovating and changing the way they attack us. They're operating a lot like big companies and they have deep understanding, deep specialization in a lot of areas and they don't have many rules. holding them back. But our cybersecurity community has to operate under some really challenging and really tight regulations.
Of course, we have the responsibility of helping our organization stay safe by building and executing great cybersecurity programs, but we also have a significant set of government regulation in place. And it looks like more of those regs are headed our way. So whether it's the new reporting requirements that may be coming through CIRCIA, the Cyber Incident Reporting for Critical Infrastructure Act, or performance compliance that's driven by new regulation headed our way, for example, cyber performance goals, you are always making adjustments to the cybersecurity program that you run to anticipate those future requirements.
Not only in a changing adversary environment and not only in a changing business and clinical and research and financial environment, but you're also doing all that while the government is undertaking efforts to help improve cyber security in the healthcare industry. In this episode of Unhack the Podcast, you'll hear from CISOs I've talked to recently about impending regulation and how they're staying informed and what they're doing to prepare for what's coming.
And as you'd expect, there's a lot of challenges from who in your organization you should be working with and what outside relationships you should be managing and how you prepare your leadership team. For what might be unfunded mandates coming from the government. In this episode, you'll hear from Jason Elrod, the CISO at MultiCare, Jigar K., the CISO at Emory Healthcare, Greg Garneau, the CISO at Hospital Sisters Health System, and Aaron Weismann, the CISO at Mainline Health.
And we'll wrap things up with Shana Hofer, the CISO at St. Luke's in Boise. The two of us will do a little post game discussion, and you'll hear her thoughts about the current swirling cyber regulatory environment. There's some great insights here from some solid healthcare cyber community leaders. Don't blink, it will go fast.
We're talking healthcare cyber regulations on Unhack the Podcast.
β π π π π
Jason Elrod CISO Multicare
what about the prep? So you see it come in, you're looking at a lot of states are also implementing their own regulations.
There's federal regulations, there's regulations that feel like they're coming from different agencies. You see this stuff come in, you're starting to do your prep, you're having conversations, but internally in the team and across the information services department. What, kind of, prep do you do?
How can you prep for this kind of stuff? The health sector is highly regulated already, always has been. And so we've had HIPAA and we've had reporting requirements. When I look at CIRCIA, what I'm seeing is increased reporting. And I'm seeing and it can be an improved transparency. I'm, not bashing it a hundred percent right out there, but I think it, it does.
Land and additional compliance burden on it. And I do have some data sharing concerns associated with that. Now, internally, from the, you talked about what does some of the security controls let's talk about the cyber performance goals. That the CPGs, right? So what does that look like for healthcare?
What does it look like in an organization? We want to structure things around that enhanced security posture. We want to follow as close as we can the CPGs for healthcare organizations. We want to implement those things. I like the idea of the CPGs, especially the voluntary adoption component of it, because what you end up with is a standardization, a clear framework, for building a robust securityprograms.
And you get a little bit more consistency, not just within the healthcare sector, but you get that cross sector when you have this same framework. From the cyber performance goals. We're going to want to start looking at, Hey, what are we doing from our security posture? How is that aligned with the CPGs associated with healthcare and the broader standardization?
I still think the overall impact is unfolding. There's a lot of redundancies in what we need to do or what we may already be doing from a reporting standpoint. the concerns I have are not necessarily how am I prepping technology for it?
We already have a framework. You're going to follow that framework. And then what you're going to do is align that framework with the new regulations and new compliance. How does that fit in? Where are the gaps? I always appreciate another view, the diversity of experience, the diversity of viewpoint on the program, because somebody is going to come at it from a different angle and they're going to see something that I wasn't necessarily paying attention to.
It was always there. But I didn't necessarily pay attention to it. And so I think I appreciate that part of it, but we still have some unclear thresholds in healthcare, we have PHI associated with HIPAA, but now this kind of throws a bunch of other stuff in there too, like what's a cyber incident.
If it's not that, is there, what does that burden look like? What are those thresholds? What do we have to look like now in our auditing, monitoring, And reporting frameworks, whether it's technology or process within our organization. How do we, ensure that we're meeting that and not being encumbered with so much additional burden?
without assistance. Now, I do want to throw this one down there. If you're like, thou shalt do this, and I'm like thou shalt pay me to do this. Yeah. If you expect, if there's an expectation on there, especially in smaller healthcare organizations, I think, for this regulatory burden, additional burden, which is what it is, whether it's voluntary or not.
Voluntary for now. Yeah. First one's free. But as it moves towards, being not so voluntary okay, it's voluntary we require this in order to participate in government programs. There's Medicaid. Medicare, Medicaid now. Okay, great. Now it was voluntary now it's voluntold.
Yeah. And I think we have some of those things hit just making sure that if they are, if it falls to that category of the voluntolds, now we're gonna get certain reimbursements. Now we're gonna get certain, gating criteria to programs at a federal level. Then it dang well better include.
Hey, here's this resources to help you do that. And we'll come and get that for you. And we'll provide you with the funding to help bridge that gap. And it's especially important for smaller health care organizations, like a one hospital, two hospital system that don't have the luxury of, having a clear program in place or being able to do it.
Those, a lot of those folks are just struggling to get the bare minimum. And we want to support that Organizationally.
β π π π π
Jigar Kadakia CISO Emory Healthcare
Okay, so with regards to regulation, there are a lot of new regulations that are being discussed. They're being evaluated, being pushed out as recommendations, etc. And so we're processing those regulations as we get them. We're working with our compliance teams, our legal teams, to make understand the interpretations and then implementing whatever Security controls that we need to, A lot of these regulations, based on my kind of current understanding is there are slight enhancements of existing, frameworks and standards, whether it's a cybersecurity framework or the NIST framework or one of those types of frameworks.
And basically, we would have evaluation against one of our frameworks to see if we have a gap and then address the gap by implementing either a new control or a new process to address the regulation. I think the biggest regulations that I'm going to see going forward, most likely will be around AI and AI generation and those types of things, and specifically how that will impact cyber security and cyber risk going forward.
clearly Everyone has an interpretation, but there isn't really great guidance on it yet. I think some organizations, whether they're public sector or private sector, have published some level of guidance or trend lines. A lot of the Think tanks have provided some guidance around AI and specifically what the risks are associated with AI.
And everyone is trying to evaluate and come up with a scope and approach that best fits their organization as an academic institution and a healthcare organization. We have AI in the healthcare space. We have AI in the student faculty space. So we're we're trying to come up with something comprehensive to.
Kind of address the risk factors associated with something like AI. Broadly speaking, the basic cybersecurity protections whether you look at HICP or any other 45B or any one of those, a lot of great guidance associated with that around how to build a program or a mature program, I think. Looking at cyber, it's really a maturation process.
How do you improve the program year over year, compare it to peer groups, and develop a program that you can go to your leadership with to say, hey, this is what we need to do as we grow and mature our program. Here are the risks, the gaps, the areas that we should focus in on. And we think we're doing well in these areas, but we need to focus on these other areas.
β π π π π
Greg Garneau CISO HSHS
So how does regulation. Impact healthcare organizations and why is regulation important, right? Given the increase in the ransomware events impacting healthcare organizations, the federal government they want to respond because it's one of the critical, infrastructure pillars.
And health care being impacted is a threat to life. Patient safety is impacted and folks get generally a little squirrely when hospitals get impacted and get taken down. It's important to have regulation. I think where we need to be mindful of where regulation and burdensome Regulation come into play, right?
It's important that everybody have, I'll call them the, standard cybersecurity, blocking and tackling cyber one on one stuff. So the stuff coming from the health sector coordinating council, of the health sector coordinating. Yeah, I am. And so a lot of those CPGs and other things got developed with you, with folks like you.
Exactly. So we talk about how do we, look at the CPGs. And how do those get implemented in the health care organization? I think a big concern for organizations like ours, is these CPGs are not mandated yet, but it certainly looks like they're going to be mandated. And are they going to be mandated with funding, and what impact are they going to have the mandates or failure to meet the performance goals have on your organization, right?
We've heard talk of CMS funding being impacted if you don't meet the cyber performance goals and obviously when you talk to Healthcare organizations about, anything funding, people get very excited. Oh, yeah. So, those are, some of the things that I work with our senior leadership team, our executive leadership team to make sure that they know that these, Regulations could be coming down the pike obviously our legal team and compliance folks.
As importantly, it's working with groups like the Health Sector Coordinating Council to keep abreast of all of the changes that are being proposed and the AHA as well. You've got folks like John Ritchie over there and, obviously those, the Health Sector Coordinating Council and Eric Decker and Greg Garcia and everybody involved there.
There's a significant amount of work being done to understand how do we get the cyber performance goals implemented. For larger organizations, it's not as difficult, right? And maybe a lot of them are even done, right? If you think about what CPGs are for a lot of larger organizations, this is already in place.
Exactly. So when you look at teams that have large health systems that have mature teams, most likely they're meeting the cyber performance goals today. But the real critical question is how are the small, rural, critical access hospitals supposed to meet these goals when they don't have the staff nor the funding?
Yeah, to implement these. And that's so they have maybe they've got Bob, and Bob does servers, Bob does networking, Bob does security, and then Bob goes helps in the cafeteria if they need him to, right? Those are the, that's the staffing model in some of these really small hospitals. So how do we help those folks as well?
That's a huge concern. And I know that's front of mind for a lot of the organizations that I'm a part of. As you see these regs coming, is there what kind of, preparation do you do to get ready for them? When do you start preparing given? Yeah I think In, the instance of, our organization, we start now and we review, both the, healthcare industry cybersecurity best practices the HICUP, the 405D stuff, and then you start looking at the cyber performance goals and crosswalk those. The work that you've already done, you look for the gaps that you have.
Identify those gaps and then start working to build programs and processes that will remediate any of those gaps and then implementing, any technology and process to make sure that you're meeting their cyber performance goals. So you have to start now. You have to start before they become mandatory.
Because trying to get that all done once they flip the switch and saying this is now mandatory, you have until X to meet these, I think you're behind the power curve at that point. π
β π π π
Aaron Weismann CISO Mainline Health
We engage with a lot of partners throughout the organization to deal with regulations. We have a legal team, we have a compliance team, we have a regulatory team, all of whom help inform what we're doing as a security organization. Mostly, they're looking at us because they're focused on a lot of other clinical regulations, ethics regulations, etc.
They're not really focused on IT and cybersecurity regulations, which are relatively new. And I think between information security and the threat of AI. legislation here in the U. S. as well, they're looking to us to inform what exactly it is we need to do. So as CERCIA comes up, or the 405D information, or the security rule being reopened, they're really looking to me, for example, and my team to be able to say here is what the tangible impact of that is on the organization.
Here's what we have to be mindful of. I think the legal background helps with that, but I think a lot of CISOs nowadays are becoming very, adapt at reviewing and understanding regulation and the impact of that. It's, interesting too that it's coming from everywhere.
It's coming from the federal government. It's coming from the agencies themselves. It's coming from the states. How do you stay on top of all the stuff that's coming from so many different directions. Yeah I, think it's a challenge, right? Because you are dealing with states, you're dealing with federal government, you're dealing with Europe, you're dealing with Asia if you're a multinational corporation, which fortunately we're not, but we still look at developments there.
There are a lot of different publications legal publications, privacy publications, compliance publications that one can review as far as federal and state legislation here in the U. S. ECFR, so the Electronic Code of Federal Regulations, and then states have similar programs.
Just trying to read through those are incredibly helpful. The IAPP which is the International Association Privacy Practitioners also keeps up to date on what states are doing with respect to privacy legislation. And they also get into the security side because it's when states pass legislation in the space it, there's a lot of overlap.
I would recommend that as a source as well, but just industry publications otherwise, any source you can to be able to pick up on here's what the legislation means to you. β
π
Wrap Up with Sarah Richardson
π π π I'm Drex and the other person that with me is not Shana Hofer from, St. Luke's Boise. It's Friday, July 19th, last Friday, cause this will play on Monday.
If you were awake on Friday there was a major incident that took a lot of technology down all over the country in healthcare, outside of healthcare around the world. And Shana's really busy doing that. So I have another guest with me today. Sarah Richardson's on the, horn with me.
How you doing, Sarah? I'm doing well, and while I certainly am no replacement for Shawna, I will do my best to represent our industry appropriately. So thank you for having me fill in today. Of course. I think in all of this, so this is the regulation sort of episode, we had a little pregame conversation about this ahead of time. Put on your CIO hat, And we'll talk about some of the stuff that's happening in the regulatory space. There's lots of regulations that are coming, apparently. Lots of folks, in the government who are itching to figure out how they're going to help. And that usually winds up driving a lot of regulatory activity around cybersecurity.
We see it happening, conversations around privacy, certainly AI. The states are involved because the states also are trying to figure out how they help health systems and healthcare in general get better at cybersecurity. You see all that activity. We talk about all that activity on a pretty regular basis too, and you see it on the news site because you and I are both posting all kinds of things about this on the news Site.
starting there, the government is trying their best to help with your CIO hat on. How did you look at that kind of environment when it was going on when you were in the seat?
What I find super interesting, especially about the Cyber Incident Reporting, Critical Infrastructure Act, and even some of the HHS guidelines, is a couple of things.
You can only report something within 72 hours, and additionally your ransomware payment within 24 hours. If you know about it. We talk about the penalties that are associated with if you don't report it in time. We often discuss the fact that assume the bad guys are already inside your systems.
And so then how do you act upon remediating those events and those activities? And so when you get penalized for non compliance about something you may not know about for a period of time, I'm only hopeful that some of the nuances and the interpretation of that are understood most effectively because there's a lot to be said.
With cross industry collaboration and information sharing. If healthcare can benefit from access to threat intelligence because of other organizations or other industries that are going through the same issues, can mitigate and respond to cyber threats more effectively, that's incredible. It takes so much more than just a mandate from the government or an understanding of those parameters, though, for it to be effective.
If anything, it's bringing the conversation more collectively together, but it doesn't mean that it's a magic bullet in addressing the things that we're facing every single day.
Yeah. In some of the clips with, , the CISOs, , one of them talks about the reporting requirements.
So obviously it's hard to report on something unless you know about it. So the clock has to start then. But the other part of it is, I think the devil's still in the details around a lot of this stuff. There's certain information you're going to have to report.
And then there are certainly concerns by cybersecurity leaders about, so how are you going to use that data? Are you going to, de identify it somehow? Make sure that it's clear that it's not my organization? Because we have two different kind of competing problems here, right? We have lawyers who are trying to sue health systems as soon as something's announced.
There's a class action lawsuit, and you have health systems who really do want to participate in an information sharing environment, but they need some kind of please arrange it so that I don't get in trouble, because I want to help the rest of healthcare, I want to help the other industries not get into the same problem that I'm in right now.
Yeah here's some of the things I think about. What's, what are those impacts going to have on how much more you're going to have to do. It's going to increase your risk reporting, increase your compliance reporting, increase your spend, increase the activities to be integrated with things like HIPAA and other aspects of meaningful use, et cetera.
And so all of a sudden those of us that have been doing this for a long time, we have like in our head, the timeline of when each of these different aspects occurred in our careers. Yeah. You get some of the more nascent security administrators or even newer CIOs. There's a little bit of a history lesson that has to go with why decisions today are being made and what that cumulative effect looks like and perhaps even legislation or policy reviews that take you back and start to combine some of these aspects because otherwise it's just a lot of acronyms you're managing.
While at the end of the day, you wanted to keep patient information safe and allow clinicians to perform the highest quality of care. Sometimes those other pieces get in the way, and that's really part of our responsibility is to balance the ability to provide great care and the ability to meet regulatory requirements and perspectives.
Yeah, the perspective on this is actually a huge part of it, because like you said, a lot of these things didn't, they didn't happen overnight, and a lot of them haven't happened recently. They have built on each other over time, and this is why you wind up with things like concerns about, Harmonizing the reporting requirements so that I don't have one organization that's asking me to report within 30 days these elements and somebody saying you have to report these elements within 72 hours.
All of that while I'm in the heat of battle of trying to resolve an incident and get systems back online and all those other things. Definitely a lot of challenges around that. Let me ask you another question. I think that As you were going in, when you were in the CIO seat and you were going through a lot of this process around regulatory requirements, not just for cybersecurity, but anything, it was it was tough, right?
You're, always looking to see what's coming down the pipeline, what the challenges and issues are with that, what kind of comments you want to make on who did, you work with? How did you work that system when it was when it was going on? You're in California too, so there's a lot of extra stuff often for Californians.
There's always a lot of extra stuff for Californians which I appreciate because I don't know if I feel safer or more compliant or whatever, but I'm wired to look for and what else and what's next and what does this mean for us? And quite honestly, that's where the relationships with our partners are so important because you get really, strong bonds with your partners.
I would have some of my bigger partners come in and do some of that education, not only with my team. So there's the historical perspective. Always what are other industries doing to stay safe? All importantly, it's the relationships you create inside the facility and within your different systems. And that's everything from what do your techs who are doing rounding on the nursing floors understand and know that is, key, whether that's shortcuts to how systems work, but also why we're doing something.
All the way to the ability to tell the right story and have the right perspective for the board. So whether that's risk, compliance, legal, quality, finance, internal audit, obviously IT, and on. I would make sure that I would have those individual conversations and say, Hey, here's what we are required to do.
More importantly, what is the impact going to be for us? Because even when you're complying with regulatory requirements, at all. Healthcare is local. It will still be based on your workflows, based on your patient populations, based on, to a degree, the states that you live in, based on the size of your staffing.
If you're a rural and you've got two people on your team, it's a totally different dynamic than managing an entire security council or your audit and security committee that meets quarterly to go over all of these things. The size and scope and breadth and depth of what you have to report and really be.
aware of. Depends on the dependencies you have on third parties as well. So everywhere I've ever gone, I made the relationship personal on myriad fronts, realizing that security, as an example, is one aspect of the 20 things that the quality team and I were going to work on together. But the fact that we carved out time to know it was important to one another, That whole quid pro quo in that universe, because you're basically asking people to do something extra.
And even if it's not, you didn't create the regulation, Drex, but you have to make sure we meet it. That's a partnership. And that's all about the CIO being a business operator who happens to enable technology. Not the CIO being a technologist who's trying to add things into the business. It's the same thing for the CISO.
The CISOs now have also elevated that position to that level and, they are working daily with those business clinical and research operators to ensure that they're doing the right things to make sure compliance is happening and privacy is happening but at the same time having conversations about how do I do this in a way where I don't interrupt or disrupt the whole Care delivery process.
So it's interesting. You also make a really great point about the unfunded mandate part of like small hospitals and the challenges that they're facing right now and then new requirements on top of that that, don't come with money. Thoughts on that? And I heard your interview with Wes.
I was listening to that this morning, actually. What happens to those health systems that are the ruals? And I'm talking about, I've worked for healthcare systems that have the 25 bed critical access hospital, literally out in the middle of nowhere.
They still had to meet all the requirements. I loved the idea of, if you're a big, provider, pick one. Why don't you give it to the rurals? Or is there some kind of incentive because there's a level of subsidy that goes into the fact that if you live in an underserved area or access to care is hard for you, then you certainly don't want it.
That entity shutting down because they can't afford to pay their IT maintenance or their compliance or regulatory penalties. To me, there has to be a space that says, Truly the care of the patient, like EMTALA the whole how close are you to the facility you come in, if you can't afford it, it's like, what can you afford, or do we give you up to this amount because you still have to do it now?
You might have the big dog say we paid for it and we did all of these things. Yeah. Maybe you're a 1. 5 billion organization in a high Metro area. There's a really good chance though, that somewhere along your entire ecosystem or your chain of admits. Is, can be traced back. To a critical location, a critical access location.
And so nobody should be alienated simply because they may not be able to afford all the bells and whistles that need to come with it. So some form of subsidy packaging in those spaces, maybe it's a government and a private partner type of arrangement, but They're not asking for a handout as much as a opportunity to keep the lights on and making sure that if you get admitted to that facility, you're going to be taken care of.
And that's really what people need the most. Cause when you go to a hospital, you're usually at your most vulnerable. And that is not a time for a patient to have to worry about whether or not that hospital can even take care of them.
It's the the other part that always Worries me about this. Having grown up on a farm in Indiana, my local hospital, if I couldn't be seen in my local hospital, my next hospital was like 100 miles away.
And that's a life and death situation. If that hospital disappears because of whatever reason, or they just go offline because of a cybersecurity event or something else, and they have to divert patients, my, Emergency care is a way more complicated situation. The small and rural hospitals, we definitely have to think about this significantly in all the cyber security regulations that are coming up.
Yeah, it's not like we're going to ask you to move closer to big hospital Drex, because you're probably growing large crops that feed humans in the United States and beyond as well. So that that circle of life or that whole chain of economy All literally feeds into one another, and so you can't just assume that people are going to be able to move closer to where certain things are.
It's our responsibility to make sure that we can, to a degree, meet people where they are. So I'm hopeful that these conversations continue to coalesce into a strategy that doesn't feel burdensome and allows you to always focus on patient care.
Yeah. One more question. As you saw this stuff starting to go through the mill in the government space, at what point did you start to think about, okay, this is big enough.
I need to start working with the folks inside my organization to understand what it is and what's coming, even though it's not, in, in regulatory form yet. It's just in the conversation phase or it's in the comment phase. When do you start doing the work?
So you're always doing the work.
I feel like that's an important aspect that you're always paying attention to what's coming. Because if you're obviously running a smooth operation, you're already handling the day to day. It's what do I need to be thinking about that's out there? That's whether it's on the dark web, whether it's on newsfeeds, et cetera.
And if that's not a space you're educated or comfortable with, find those people. And there are plenty of people who understand how to track what's happening on the dark web or happening in different aspects, so you got your Washington policy feeds coming in, you got your dark web guys or gals that are giving you some insider information, you've got your regular updates, always paying attention to the what if.
So you don't want to create a doomsday scenario for your facility. But there are things, I had a conversation yesterday with someone, I said, what happens if your facility goes down for 30 days? And they're like that's not going to happen. I'm like, Yeah, it might. Yeah, it will. Only because I have significant friendships in situations where that happened recently.
And if you aren't prepared and letting people know what may be coming, then you're not really staying aware of the next aspect. Have your ducks in a row, but Always be looking out there into the backfield and say, what is that on the horizon? What should I be thinking about? Because the more educated you are about the maybe, if it shows up, you're already there.
And if it doesn't show up, then hey, it was just one more thing you learned about. I guarantee you're going to learn something when you're monitoring those channels. And let's remember something that you and I talked about probably six or eight years ago about Relentless prioritization and governance.
That is where these conversations are happening, because if there is a significant policy change, compliance, regulatory, etc., it always jumps the line, goes into first place. What needs to be true in your existing portfolio, that if those things come true, you can adjust for them and not lose too much momentum for the rest of the strategic objectives you have occurring within your systems.
Yeah, that's a great point. Hey, thanks for thanks for dropping in and being a great and awesome substitute. I really appreciate
it.
Yeah, I'm like Shawna, I hope I made you proud.
I'm I'm hoping that everything is going okay with everyone who's dealing with this. Even when this shows up on Monday, there'll still be a lot of folks digging out from that.
Thanks to everyone for listening. Really appreciate you. β π π
π
Outro
That's a wrap for this episode of Unhack the Podcast. Do me a favor and share this episode with your peers. And by the way, your feedback matters, so please subscribe and rate and leave a review wherever you listen to podcasts. I'm your host, Drex DeFord. Thanks for spending some time with me today. And that's it for Unhack the Podcast. As always, stay a little paranoid. I'll see you around campus.