This Week Health

Don't forget to subscribe!

September 30, 2024: Kate Pierce, Senior vCISO & Executive Director of Subsidy Program, and Tamra Durfee, vCISO, of Fortified Health join Sarah at SOAR for the news. The discussion delves into the cybersecurity talent gap, highlighting the importance of attracting more women into cybersecurity. What role do mentorship programs and internships play in empowering the next generation of cybersecurity professionals? The conversation also examines the culture of cybersecurity in healthcare, posing crucial questions about balancing security with clinician workflows. 

Key Points:

  • 01:51 Impressions from the SOAR Conference
  • 02:56 Women in Cybersecurity
  • 07:04 Integrating Cybersecurity in Organizations
  • 09:27 Cybersecurity Culture
  • 16:10 Women in Cybersecurity

This Week Health Subscribe

This Week Health Twitter

This Week Health Linkedin

Alex’s Lemonade Stand: Foundation for Childhood Cancer Donate

Transcript

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[00:00:00] Thanks as always to our partner Fortified Health Security. No matter where you're at in your cybersecurity journey, Fortified can help you improve your cybersecurity posture through their 24 7 threat defense services or advisory services delivered through Central Command, a first of its kind platform that simplifies cybersecurity management and provides the visibility you need to mature your program.

Learn more at fortifiedhealthsecurity. com Today on Unhack the News.

Tamra Durfee: educating them about why it's important. And knowing that you're a partner. That you're not there to say no and to block them. You're there to partner with them to say, we need to implement this. How do we do it in a secure way? If you're the no person all the time, I've found that then people will go around you

Drex DeFord: Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm [00:01:00] president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.

. And now, this episode of Unhack the News.

Sarah Richardson: Good morning. We are so excited to be joining you from Atlanta at the SOAR Conference, which is a partnership with Bluebird Leaders and This Week Health. More importantly, we are covering Unhack the News today, because Fortified Health Security, who is one of our partners, is also a sponsor of this event.

I am grateful to be joined by both Kate and Tamara from Fortified. Good morning, ladies. Good morning so before we jump into the topic of today, which is really about the diminishing or the need for Cybersecurity workforce and how there's a huge gap, not so much in the talent gap, but the ability to get people into this field gap. What have been your impressions from the last day here at SOAR?

Kate Pierce: Oh I think this event is just amazing. It's really exciting to be able to come [00:02:00] and attend an event where women are actually supporting other women and men are supporting women in their growth as leaders. So I very unique event. I think I'm addicted. I'll be back next year. Yeah,

Tamra Durfee: I think this has been one of my favorite conferences I've ever been to.

I like that the size is smaller, and it's really more intimate, and I've been able to build some networking relationships. And I think that's important as the younger generation, we're trying to pull them into the market. And I think if we as experts and leaders can show how women in cybersecurity can enter the field and be successful, I think that sets the stage for the younger generation as examples.

Sarah Richardson: Azir, you're here with all of these incredible women, and what I love, to your point, it's small, it's intimate. We haven't talked about technology over the last few days. We've talked about the relationships that allow you to be successful in your career. We happen to be technologists. As you think about the latest ISC 2 report, there's a gap [00:03:00] in especially cyber security staffing, whether that's men, women, or otherwise.

What are some of the best ways we can entice people to be excited about cyber security, especially when it's a role that tends to be more fragile or at risk in some organizations due to the fact that it's a matter of when and not if?

Kate Pierce: I feel that cybersecurity is going to become a big spotlight and already is becoming a big spotlight for organizations because as we implement technology, cybersecurity has to come alongside that.

And if we don't begin slowing down maybe the pace so that we can wrap our new technology deploy it in a cyber safe way, then we're going to continue to see the need for recovery. I would like us to become more proactive and get us out in front of these cyber risks before they happen and reduce that.

Get away from the, it's not a matter of when. It, it's more of a protection. Everyone needs to bring their foundational cyber up to a [00:04:00] certain level. And I think we're seeing that come out with the HHS Cybersecurity Performance Goals that were released earlier this year.

Tamra Durfee: Yeah, I think, as I was talking about bringing up the next generation and how do we bridge that skills gap and get more people excited about cyber security.

Earlier, a speaker at Bluebird Leaders yesterday was talking about interns, and that's an approach I used at a hospital I worked with where we hired interns from the local college, and they were I actually follow one on LinkedIn who has gone on to a career in cyber security. So I think again as us, as leaders in cyber security, making those opportunities available.

Internship programs are a great way to introduce people into technology and into cyber security. And that was something successful that I've done at a hospital to grow that and Build that generational gap that we're seeing and promoting those resources into cyber security.

Sarah Richardson: What are some ways to remove the [00:05:00] barriers of the fact that some of the research that we did for this conversation was women will go and get like a masters degree in cyber security or the higher level certifications where many of the men that were surveyed are doing it on the job training.

How do you start to break down that barrier a bit that says you don't have to have these huge degrees before you start your career in this space? How do you get a sense for encouraging people to enter a field before they are perfectly qualified from their perspective to do

so?

Kate Pierce: I think that we need to break down the whole mindset, the culture that we have in the U.

S. that cyber security is a man's field. And we're seeing that more and more. continue to get better generationally. We were looking at some numbers yesterday from a Women in cyber security report that was put out by ISC2 earlier this year. And it indicated like for the 55 and over, we're seeing only 13 percent of the folks in cyber security in that age be female.

But when you get down to the [00:06:00] 30 and under, it's at about double that, or 26%. So if we can continue to encourage women, to explore those STEM type roles and embrace the inner potential that they have, then we can bridge some of those gaps. I know you talked about interns, but do you have other thoughts?

Yeah, I

Tamra Durfee: think, my degree is not in cyber security, and so I think that it doesn't have to be a barrier, and I think it's, organizations recognizing that investing in potential, versus a degree on a paper, can really help them close that skill gap and that hiring gap, whether it's male or female and, Opening up opportunities and presenting those opportunities to candidates that they don't put those requirements on their job applications.

Because then no one's going to apply for them. And looking for those soft skills, looking for that potential, looking for those people that are going to come in and be able to be successful and get that on the job training. And investing in them is really going to help [00:07:00] us close that gap.

GMT20240910-203651_Recording_avo_640x360: Join This Week Health for a deep dive into third party risk management with Enterprise Health.

Miroslav Balote, CISO at Valley Health, will share his journey to building an integrated risk management program that automates and simplifies vendor risk. Alongside experts George Pappas and Scott Matilla from Enterprise Health, this session will cover the latest challenges and practical solutions in managing cybersecurity threats.

Don't miss this valuable conversation on protecting your organization and improving compliance without overburdening your team. You can register now at thisweekhealth. com slash cybersecurity priorities to secure your spot.

Sarah Richardson: So when

an

organization has a gap in cybersecurity staffing, we're going to call you.

That's what happens. We're like, can you help us? Can you VC sue us? Can you throw some resources our way? As we think about how we plan projects, a lot of the conversations we have with anybody as a CXO in healthcare IT is the governance [00:08:00] and the staffing models and the maintenance and the ROI and all those pieces.

What I have not heard in this conversation made me really think about it in preparation was, Adding what you're going to need from a cyber and risk perspective to that ongoing continuity of operations. And when you think about building those business cases to bring new technology into an organization that's going to require cyber support, where does that conversation plug in?

How soon and how aware does an organization need to be to make sure that's part of the conversation?

Kate Pierce: I think everyone should be aware of the increased third party risk. And when you're evaluating new digital assets for your company, cybersecurity needs to be at the table right from the very beginning.

They need to be part of that conversation, because you don't want to waste your time or our time if you're exploring opportunities with a site that hasn't given any thought to cyber. As soon as you connect that to your network, It adds to your risk for the entire organization. So we need to make sure we're stopping that a lot [00:09:00] earlier in the process.

We did a roundtable yesterday. And there was a question about like at what point in that purchasing life cycle. Are you bringing cyber to the table? What point is cybersecurity becoming part of the conversation? And there were like 35 percent that were like, after the contracts already signed and we're ready to deploy, then we think about cyber.

And then it's really too late.

Tamra Durfee: Yeah, I would agree with that. And I think it's really building a organizational culture of cybersecurity that is the key to that. Because If you have one CISO or one or two security analysts, they cannot protect an organization by themselves. And you can't just do it with your IT staff.

It's the whole entire organization. And building on what you were saying, Kate, is that making sure that Information security is built into the whole process across the organization. And it's getting in front of all of the management who are wanting to bring those [00:10:00] technologies in. Whether it's applications or medical devices.

And educating them about why it's important. And knowing that you're a partner. That you're not there to say no and to block them. You're there to partner with them to say, Okay, we're going to implement this. We need to implement this. How do we do it in a secure way? If you're the no person all the time, I've found that then people will go around you.

But if you engage as a partner and you build that into the culture, and same thing with the contracting. You've got to partner with your contracts team and say, if you see anything that talks about software or hardware or applications, that needs to come to IT and to the security team for a review.

Sarah Richardson: It does.

You've got cyber risk, legal, compliance, IT all at the table during the contracting phase. Through the deployment of the project, you think of the success of that project and how important it is to make sure that staffing remains because so many people will think the project's live and therefore it's just out there and it takes so much to make sure that it goes right.

Those third party risk assessments are tremendously important. [00:11:00] And many of the organizations or smaller startups are looking to break into IT, healthcare, and have that vertical established. The conversations we have with many CISOs. are, hey, by the way, you need to have some healthcare expertise. You can't just decide you're going to do business in healthcare.

That's not how this works. And so as you think about preparing even some of the newer technologies coming into organizations, what are some of the things that need to be true? HITRUST, HIPAA what are you looking for most to say this is going to be secure enough to deploy into a client's environment?

Kate Pierce: You point out some great ones HITRUST, they need to be HIPAA compliant, but there's really it's beyond that. It's, you can be secure at the point you're deployed, but you need to remain secure throughout the entire life cycle that you're in the environment. I know the FDA last year indicated that any new medtech that comes into the hospital, that's getting FDA approval has to be secure by design.

And it has to be able to be maintained secure. So you can't just come in and put your product in and then [00:12:00] back away and say I'm not going to patch. So you have to be able to have it your technology at a point where you're following these new regulations that are coming down the pike as far as meeting those when it comes to security.

Tamra Durfee: I think, having all of those is, high trust knowledge is important, but Validating that our third parties and our medical device manufacturers are actually truly needing them. It's one thing to say that you are, but that's why the third party risk, I think, is so important. And asking those questions and digging into that.

Asking, are you doing multi factor authentication for your privileged access? I have been specifically asking that question on, and every third party I've been doing an assessment on. And I've actually been surprised at how many say no. And so I think that the problem is that, they can say they meet the letter of something, but when you really drill in and ask them the hard questions and hold them accountable to it, and if you don't do it, what is your plan to get there?

Most of the time [00:13:00] they'll partner with you and they want the business and they'll work towards it, but it has to be more than just following. It's really drilling into it.

Sarah Richardson: I

want to ask a logistical question for you because Talk about, okay, keep your application secure, turn on multi factor authentication.

And yet, if you are deploying a workflow for a clinician, and they don't want, That's multifactor authentication because it's disruptive in their environment. What would that conversation look like?

How do you influence an organization to make good decisions to protect the patient and protect the data?

Tamra Durfee: So I think when I've had those tough conversations again it goes back to the culture and Making sure that at the executive level of a hospital, that they understand the risks associated and that they are on your side and will back you, so that when you do have those conversations, physicians are the hard one trying to get them on MFA for remote access.

That's always the big challenge one I've dealt with. So you can have the access, but you have to do the [00:14:00] MFA. They go together, and holding that line, and also explaining why. They're in the field because they want to take care of patients, and it's not only about taking care of the patient from a clinical standpoint, but we want to protect their data.

It doesn't do any good to treat a patient and send them out the door to have them involved in identity theft because at the hospital they were treated at, Their data was compromised. And so I think when you flip that on the physicians and the providers and explain that perspective that they don't think about.

It's just a different viewpoint that in cyber security we're looking at it from that way and they're not thinking of it from that perspective. I've most of the time, I have no longer gotten pushback because we're wanting to treat the whole patient and that's part of it.

Kate Pierce: And I think it's also important you talked about governance.

It's important to have a governance committee for your cybersecurity needs as well. That's actually the big change when it came to NIST 2. 0 is that governance is the overarching piece to ensure that [00:15:00] you're building in all of those factors when you're doing that. If it comes, if you embrace your physicians and your clinicians and include them, or representatives of them on your governance committee, you get far less feedback, physician to physician, than you get CISO to physician.

Your CMIO is your best friend. Yeah, exactly. Absolutely,

Sarah Richardson: and if the decision is to not use those workflows, then who's accepting the risk in the organization so that it doesn't then say, Wow, our team didn't protect us. We did, and here's the decisions that we made. That documentation trail is really important.

It also comes back to help you make better decisions for the future because there will be sometimes a small event or something that is, hey, it happened, but nobody noticed, which is our favorite type of event. And yet, because we did avoid that challenge, We still need to be thinking about how to make sure that it doesn't become something bigger next time.

Kate Pierce: Even going a little further, for those organizations that have had an incident, no one wants to be that person that [00:16:00] clicked that link, that, missed that phishing email, or whatever the incident was that allowed that threat actor into your environment. It's also important, I feel like don't Waste is a good crisis, right?

There's been plenty of them. I remember there was a hospital that was a partner, they were a tertiary care center that we sent a lot of our patients to, and they had a major cyber incident. And after that, I had a lot more acceptance from our physicians in accepting the constraints within just managing those risks to our organization.

I love what Senator Warner said about cyber security. He came out with a paper in late 2022, and it was called, Cybersecurity is patient safety. And if we can start linking cybersecurity to the way that it affects our patients and our staff, I think it becomes more part of the culture.

Sarah Richardson: And think about the fact that what you do at work to keep yourself safe applies to what you do at home to keep yourself safe. And so I love the fact that we [00:17:00] can start to pull forward this next generation because if you're looking about, keeping themselves safe in a completely digital world.

Today's generations are 100 percent digital. What are the best protocols? They need to be safe at home, at work, etc. And so I'm hopeful that we continue to bridge this half a million person gap and what we need just in the U. S. for cyber security and events like SOAR, where there's so many women who are really well geared to be successful in cyber security.

We think about the conversations of you. Women make the healthcare decisions in their families. They're the ones who protect the family. We are naturally wired to be excellent cybersecurity professionals.

Kate Pierce: Oh, I definitely agree. I think someone said that to me yesterday in a conversation after they spoke and I think that's, Completely true.

Your instinct is to protect your family, protect your children from risk. And you're, in essence, doing something very similar when you're protecting your organization from those risks. I like the analogy. You can [00:18:00] protect the

Sarah Richardson: organization and still be fierce in the process of also being empathetic enough to understand what it means.

Kate Pierce: This is just such an untapped potential to increase women in cyber security. And part of that is right now we are at 23 percent female security experts in healthcare. Think of that untapped potential that we can use to lessen that 500, 000 personnel gap in cyber.

It's, and I think it's just a matter of time before people begin to realize, women begin to realize and embrace Their ability to be great at being in cyber.

Sarah Richardson: Thank you for being at SOAR. Thank you for being a partner. Thank you for sponsoring the event. We know we'll all be back next year.

This has been incredible. And it sounds like we may be able to start turning it into a recruiting event for women in cyber as well. That's all for now. Thanks for listening.

Drex DeFord: Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now [00:19:00] there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.

Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.

As always, stay a little paranoid, and I'll see you around campus.

Thank You to Our Show Sponsors

Our Shows

Today In Health IT with Bill Russell

Related Content

1 2 3 282
Healthcare Transformation Powered by Community

© Copyright 2024 Health Lyrics All rights reserved