This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

UnHack (the Podcast): Breaking Down Silos and Building Up Culture with Shawna Hofer

Drex DeFord: I'm Drex Deford, president of Cybersecurity and Risk at this Week, health in the 2 29 Project. Our mission is healthcare transformation powered by community. Welcome to UnHack, where we navigate healthcare security challenges together because cyber safety is patient safety.

Let's get started.

Hey everyone. Welcome to unh Shawna Hofer is with me the CSO at St. Luke's in Boise, Idaho. Say Hi, Shawna. It's good to see you.

Shawna Hofer: Hi Drex. Thanks for having me back.

Drex DeFord: We get to hang out from time to time. I'm kind of excited about some stuff that we have coming up. I'll talk about that a little bit later.

This is recorded in October and probably won't play until November, but I'm gonna ask you the question anyway because I'm just kind of dying to know What kind of trick or treat stuff. Are you doing for Cybersecurity Awareness Month? At St. Luke's?

Shawna Hofer: It's been a really fun month for us here at St.

And I have to admit that a lot of the things we did this month and we tried and our trying, we didn't come up with all these ideas. We learned about them from our peers in the 229 community. And totally stole their ideas. So one of them is. The concept of these cyber fairs where you go out and you go to the hospitals and you meet and interact with people.

You should be there for every brought and shot set up. And we were the entertainment. You stand in line to get your shot. You spin a wheel, you get some candy, you answer some cyber questions all while waiting in line to get your shot, and then you go get your brat. So it ultimately ended up being really fun.

I forced my cyber team to get out and interact with people, which of course took some nudging to get them to sign up, but I think everyone, once they did it. Realized how great it was to get out and talk to people. So that was really fun.

Drex DeFord: I love that. When you can wrap things like that together too and kind of just killed one or two or three or four birds with one stone.

It's always good when brats are involved too. I'm a big fan of that,

Drex DeFord: It's great. Plagiarism's the most sincere form of flattery, as I say, as I always say.

But yeah, this idea of finding good stuff at the summits and then saying how do we make this our own? This'll be a good story that you'll tell the next time we're all together, and I'm sure somebody else will run off and say, you know what we should do in October. And they'll be doing it probably at their place.

Shawna Hofer: They'll give us a call. We'd be happy to talk to 'em just like everyone else was willing to talk to us. So,

Drex DeFord: yeah.

Shawna Hofer: Love that.

Drex DeFord: You've talked regularly in the summits with me about, cybersecurity success in healthcare is really about collaboration and relationships. And so the question that I wanna ask, because we talk about this regularly, is culture and how culture is built around cybersecurity, especially in a clinical environment.

Tell me about how you have been thinking about that.

Uhhuh. But it, I don't, it was always more of a thing you said than what seemed like happened. So one of the things the team did this year, which I thought was really cool, they started this concept of a cyber minute video. Just a short video that, you know, if you can't get out in person and all you can do is kind of just a quick watch from the intranet you can watch one of these videos and they're one minute videos from people in the health system.

We've been doing that in different pockets. So that's one example related to cyber awareness month. We'll keep doing that throughout the year. But another example of how we've been trying to reiterate that is we, I went to a board meeting recently where the topic was it was an enterprise risk management update.

And recently within our organization we highlighted business continuity and disaster recovery as a top risk. We really were intentional about that, not because we aren't doing great things, we are because we wanted to make sure there was visibility system wide to how critical it is for the organization to lean into that and that it is a dual responsibility.

And here's the really cool things we're doing, which was a five minute update from me. And then a five minute update from our vice president of operations who is the business sponsor for our downtime project. And it was really an example of here's how the organization culturally, and by taking action as leaning into this risk, recognizing we own it.

This is our risk. We're running with mitigation strategy on it. It was just really cool I think for them to hear from her not always having to hear from me.

We are just in information services. We're just a really great. Implementers and we manage the money and a lot of it involves it, but a lot of it is change management. A lot of it are, these are the things that affect the business or clinical operators. You've, but I love the way you've kind of turned that around into the security risk that actually is owned by business and clinical operators.

It's a really cool way to look at this. What, how did you think of that? How did that come up?

Shawna Hofer: We had a conversation as we were planning for the board meeting and, you know, it was, well, cyber can come talk about it. But hey, the work we're doing here is so cool and they're tired of hearing from me.

I've been going to talk to them for, you know, nine years now. Let's bring in someone new and it without hesitation, she was happy to do it and it just worked out really well.

That happened recently. We think back to last year. I know we gotta stop talking about it, but the CrowdStrike incident change healthcare and the change healthcare breach, all of that stuff has driven us to talk a lot more about resilience and yes, how do we bounce back or how do we continue to operate when these things happen?

What's operational resilience look like? I mean, certainly some of it'ss tied into this board conversation, but what's it look like there?

Shawna Hofer: That's exactly what the board conversation was. And you know, one of the things, what's funny, I had, I went back into the slides I mentioned, I've been presenting to this board for nine years now.

It was, they do this part, they do this part.

Sometimes we talk, you know.

And at St. Luke's, we've taken what I think is a unique approach to the evolution on this, and we've created an IT and cyber resiliency team. It does report into cyber, but as you see here in the title, it's not just about cybersecurity.

As you mentioned, these AWS crowd, track incidents aren't just cyber incidents.

It includes like BIA and this is continuity planning. It includes cybersecurity, education, and awareness. So when you bring all of those groups together, yeah. I really think magic happens because you're thinking about things in a modern threat landscape, right? Yes. Cybersecurity incidents can bring us down for weeks.

But the planning that you do for those downtime for weeks is really also helping us for the hours long downtime we're going to have with NAWS or CrowdStrike. And so, having those teams work together, thinking about a backup solution or disaster recovery capabilities that aren't for legacy.

Luke's. Not only do we have folks on the backend of that working on infrastructure, but there's a natural kinda language barrier that happens on that team where we have frontline staff. Who are going to the bedside every day as part of the downtime planning, they're hearing from the teams what do they need?

What are the challenges they face, which we can then kind of circle back to the education awareness team with how do we communicate better, both proactively, what they can do to prevent and limit the likelihood of a cyber issue, but also what they need to do in the event of one. So it's really kind of just.

Drex DeFord: It's that connection to the frontline staff, I think when we operate, because I do think it's a really unique approach.

I think when we operate in a lot of places as sort of still silos. Maybe there's a little Venn diagram overlap where we spend a little bit of time talking to each other, maybe right before tabletop exercises or something. But when you spend time with those frontline operators, I feel like you get more of a like.

I really do understand now when we're down, like what's happening over there as opposed to what I think is happening over there. When you see it or when you know, you walk a mile in their shoes that your team, the rest of the IT teams really get that whole Oh no.

Shawna Hofer: Yeah, and you don't get it.

Drex DeFord: Yeah, go do the rounding. Does this overlap into how does this make lap make tabletop exercises and those. Kind of things is

Shawna Hofer: absolutely same team leans in to those we'll pair up. So the IT and cyber resiliency team is part of cyber. And then, And when we do these table type exercises, we'll also bring in our more technical teams and we'll make sure that we're working closely in planning for what's realistic from a technical perspective.

And then how do we set up the incident response such that it aligns with what our organization would normally do? So when. My leader over the cyber and IT resiliency team is a former emergency manager, which means she understands the hospital incident command structure. She knows how to set it up.

Drex DeFord: becomes even more important too, I think when we see a lot of stuff coming out now, studies that come out that say like when one organization in a community has a cybersecurity incident and has to start diverting or doing other things. Even when the other hospitals in the area, and you're kind of in a unique situation, you're kind of like the big system in your area.

But

As patients are maybe moved or eds are closed and patients are moved to other facilities that it actually impacts the patient's wellness. You know, morbidity, mortality rates go up at the other hospitals just because the system is built for you to be in the process and when you're not, it changes everything..

But I recently heard about one of our peer organizations who did kind of a mock, incident with all of their kind local hospitals and clinics. And they pulled them all together and asked those questions of what would you do? What would you do? And I think actually Anahi was on with Bill talking about something similar on the East coast.

And so, you know, I think that's a really good lesson to all of us to learn from and say, yeah, how do we do something like that in our areas and make sure that we are. Prepared for something like that.

Yeah. For the benefit of our community and our patients, not just for us.

I probably should ask you a question about that. It's embedded in everything now. You wake up on Thursday, there's a new button and an application that you're using that has an AI button in it. And so you didn't really plan for that, but here we are. I think it's that way for everyone right now. How are you all thinking about AI governance?

And data protection and risks that weren't there six months ago, or five or six days ago sometimes. Yeah. How are you all looking at ai?

Shawna Hofer: I feel somewhat comfortable saying I'm probably in a really good group of people who can admit that we're all trying to figure it out. Yeah. Right. I, I. I don't think we have figured it out.

What is the process by which we're pulling them in? And what we've done is really try to integrate that with our overall process so people aren't having to do something different. Because it's ai, we've embedded it into the standard process to help kind of streamline that. And I think, you know, for us and for everyone, it's gonna be a constant evolution of what are you asking in that question and how do you go back?

And how do you track that? But that's one of the things I think we've done really well is just, let's just embed it into existing, let's not create net new. Another thing that we're working on from an AI governance standpoint, we've got an AI governance body that includes all of the normal hitters you would expect.

And if so what is that group comprised of? How are they making decisions and are those different from the overall enterprise decisions?

who's part of that? So just, okay. We're trying to figure it all out. All of that. A lot of

Drex DeFord: it right now it's just being agile, right? It's just like you have to be, there are so many things that are changing all the time that you can't build Absolutely.

Build a process super brittle. Yeah. because the new thing that tomorrow won't fit.

Shawna Hofer: Exactly. And I, you know, I think in healthcare, one of the other things I'm particularly excited about our ai approach and a lot of this has to do with just, we have great leaders and great people who are trying those different things.

And. We did it, we learned a heck of a lot. We learned where if we were to do I dev where makes most sense right now and where doesn't where the financial gains and benefits and where not right now. And we learned that we have some really great skillsets on our teams to do this. But we're left with the question of.

Can we do it more broadly? And in the reality of the financial landscape for healthcare right now, the question that kind of just lingers is, yeah, you wanna invest in this, but is now the time to invest in this.

If we choose to go all in?

Drex DeFord: You kinda have to become a product builder and a

Shawna Hofer: yes

Drex DeFord: product maintainer. And from a resource perspective, that has to be. I guess a thing that is really going to either help us take money out of, you know, that we spend today That's right. Or put money in where we don't get it today or you know, you've gotta figure out what that ROI is to make that kind of investment.

It can't just be a

Shawna Hofer: Yeah,

Drex DeFord: offhanded bet.

Shawna Hofer: Which is where strategy and governance comes in to say where do you focus your time and effort that actually would result in value Yeah. And would be worth Right. Productizing rather than buying it off the shelf.

Drex DeFord: Yeah.

Shawna Hofer: So that's part of what we're trying to imagine and create is if that's our future, how do we make sure we focus on the right things?

Yeah. What needs to change? What kind of work are you doing? What kind of work are you seeing being done that you think is kind of helpful and has been successful to build? A more sustainable cybersecurity healthcare workforce locally, especially with women and minorities.

Shawna Hofer: I'm pretty limited in terms of what I can see locally.

When we look at Idaho, we have some universities who are focused on cybersecurity, including some of our local colleges. And what I've seen in them, you know, some have done a really good job in this and some haven't. Mm-hmm.

Do they keep a cyber program or do they keep an AI program? Or build an AI program. And that has been a challenge locally as well. So for me, you know, I think getting out in front of people is always, I think one of the most beneficial things you can do. As a woman in cybersecurity, I think. I need to be getting out there more often and having students and others who might be interested, see that it's open to people like me.

Right. You, if you look like me, you can be here too.

Drex DeFord: Yeah, yeah, yeah.

But I think realistically it has to start earlier than that. I think we need to be getting in front of high school and junior high students, not just from a day to day, be aware for yourself kind of knowledge, but get them thinking about this type of a career option earlier on so that they can be seeking out those opportunities before they get to college.

Drex DeFord: Yeah.

Shawna Hofer: But I still try to. Steal um, people from different degrees. So for example I work a lot with Boise State. I actually was an accounting graduate from Boise State. And I sit on their advisory board. Their accounting advisory board. So I've had an opportunity to meet some of the accounting students and I always use the opportunity to say, Hey, you can get into cybersecurity from accounting.

You know, I like that. It's possible. I've done it.

People in the room who knew you and were talking about things that you were doing. So don't feel like you're not doing enough, like you're definitely flying the flag. It's one of the things I I really like about kind of having you in the community. You're co-chairing a ciso, someone that's coming out in San Diego next year, and you're bringing together a really good pack of folks for that too.

How's your experience been with that crew? I know you've we've been, some of us have been together before. Is that, is it all coming together as you hoped?

Shawna Hofer: Yeah, I think it will. The great thing for the two to nine project is that, you're working with a lot of the great people I'd wanna have there.

Drex DeFord: It was great. The Lake Oconee event was really fun because it was two alumni and it was, everybody else knew people. All of them had said something to the effect of like, you know, they're in your signal chat or something and they've heard people talk about it and so they knew that they had to sign up or someone else had told them.

So, you know, like the word that's really continues to spread and I appreciate it. I wanna ask one more question. Last one for you. What's something about being a healthcare CISO that most outsiders don't really understand about the job?

Shawna Hofer: In my opinion you know, I think there's an assumption and kind of going back to getting more diversity in the job, I think there's an assumption that. To be a good CISO means you have to have come up in the ranks in cybersecurity, or at least in it. And a lot of them have, and they're awesome.

so you find yourself working around a lot of like-minded people in that way. Generally more collaborative. And I think there's an expectation as a healthcare CISO that you're good at that, right? You have to be able to bring together people to be able to speak the languages of all those people, whether you're talking to finance or HR or an executive or an [00:27:00] individual contributor or frontline staff.

It's the power of being able to bring people together in the way that they wanna be brought together in a way that works for them. Meet them where they're at, right? It's not, Hey, come to me. It let me come to you. Mindset that I think makes a healthcare CISO successful that I don't know that other people outside of this role really, truly appreciate how important that is.

Drex DeFord: Yeah. You are a world class translator. That's also kind of part of it, right?

Shawna Hofer: You have to be.

Drex DeFord: You have to.

Shawna Hofer: You have to be.

Drex DeFord: Hey. Thanks for being on the show today. I really appreciate it, Shawna.

Shawna Hofer: Yeah, thanks for having me back. Drex. See next time?

Drex DeFord: Thanks for joining on UnHack. Remember, we're not alone in this. Every healthcare leader needs a community to lean on and learn from. Join our community at this week, health.com/subscribe and share this not only with your security crew, but with your entire leadership team and staff.