This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Anahi Santiago: If we don't do our jobs well, or even if we do our jobs really well, but the threat actors happen to just get it right that one time we could impact patient care.

Bill Russell: My name is Bill Russell. I'm a former health system, CIO, and creator of this Week Health, where our mission is to transform healthcare one connection at a time. Welcome to the 2 29 Podcast where we continue the conversations happening at our events with the leaders who are shaping healthcare.

Let's jump into today's conversation.

Alright. Hey, it's the 2 29 podcast, and this is where we continue the conversations that start at the 2 29 meetings.

And today we're joined by Anahi Santiago. The Chief Information Security Officer at ChristianaCare out of Delaware, are all those things still correct or do they add things to your title or move you around or,

Bill Russell: Wow. You've had a lot of longevity there. You've been there for a while, haven't you?

Anahi Santiago: Over 10 and a half years.

Bill Russell: Wow. Is that the norm for the CISO role these days, or is it less than that?

Anahi Santiago: No, I mean, I think the statistics states that on average a CISO sticks around for about 18 months.

Um, I happen to have two tenure years. I was at Einstein for 10 and a half, and now I'm blowing past that at ChristianaCare with 10 and a half. I'm just lucky that I've worked for two amazing organizations that. Have given me absolutely no reason to want to look elsewhere,

Anahi Santiago: There are different types of CISOs. I think that there's a great demand I think that there's some CISOs that just. Hop because they find different, more rewarding opportunities, whether it's financially or different organizations.

I think some come in, they put their mark and then they feel like they need to move on. I do think that there are some that join an organization. With aspirations to make impacts, and then they come across a lack of support for cybersecurity because of competing priorities. And I think that's a big reality, right?

Where, you know, an OR organization might want to file an attestation around cybersecurity and put their CISO's signature on it, and the CISO's just not comfortable from a professional liability in doing so. And then I think some are being promoted out of the job. I know it's just those that are moving to be associate CIOs and gain greater responsibilities.

So I think it's a mix of things.

Bill Russell: it's interesting, I was talking to a CIO yesterday who will remain nameless. 'cause they interviewed for another job and I said, well, you know, this is the first time you've interviewed in a while. What struck you? He said. What struck me was the starting salary.

And I said, well, you know, that, that could be for any number of reasons. One is the job market is hard to find. For certain roles. CISO being one of those, it's hard to find that role. Do you think there's a disparity in let's just say that certain health systems recognize the need for really good cybersecurity, recognize the needs to put in a program and pay accordingly to for that, whereas others don't?

Anahi Santiago: I get a lot of calls from recruiters. Although I'm not actively in the job market, I take those calls because I have friends that are in the market and I wanna, you know, I'm a connector. Like if I can help people. And when I talk to these recruiters, I'm actually disappointed at the level of pay that healthcare is commanding for CISOs.

Bill Russell: I mean, one of the topics I did write down here that I wanna talk to you about is the, you know, the CISO role but mostly about healthcare, healthcare's unique challenges versus other industry challenges. I mean, we talk a lot about how healthcare is unique and has unique challenges and is co complex. It would stand a reason that you need to pay somebody for that complexity to, to manage that complexity and that challenge.

But I want to talk specifically about the differences. What makes being a CISO in healthcare unique and challenging?

Bill Russell: Well, and we saw that a lot last year, right? I mean, we had significant outages ascension. We had change healthcare. We had a bunch.

Anahi Santiago: Absolutely and you know that leads to emergency room diversions. It leads to canceled surgeries, it leads to oncology patients unable to get their treatment.

I mean, it, it really does have a significant. Patient impact. Even something like change healthcare, which was really, you know, had a financial impact. Patients were showing up in pharmacies and they couldn't get insurance verification and were being turned away and they couldn't get medications. I had a friend who paid $3,000 out of his own pocket to get a life.

15 years. That has left our industry with a whole bunch of holes. The shrinking margins aren't helping now. We have to compete more and more now with investments in clinical delivery. And then I would say that the open nature of hospitals, you know, when I first entered into healthcare.

In the hallways, you've got nursing stations with 12 people competing for the same workstation bells ringing, people running around. It's just very difficult to coral. And implement sound security when the dynamics are so fluid. So I think all of those factors contribute to the difficulties.

Bill Russell: And I would point out biomed is really distinct to healthcare and not a small problem to solve.

But then it's not FDA a approved anymore. Like it has to go through that cycle. Now I know we've made a lot of progress on [00:09:00] that, but back when I was a CIO, it was just I remember we did an inventory, that number of XP devices on the network just shocked me. I'm like, what? I don't even understand where these coming from.

They go, oh, those are all biomed. And they said, don't worry about them. Like, what do you mean?

Anahi Santiago: Yeah, it's interesting because you are right. Biomed devices create a lot of complexity. The certification cycle for FDA is at times longer than the supported operating system cycle for Microsoft. And then because they're FDA certified, it's not like a regular Windows device where if it gets infected, we just either throw it out.

They have to coordinate all of those recovery processes with the medical device vendor, which creates even more complexities. And if, you know, we were intentional in running through this tabletop exercise, but in my mind I was extrapolating to the fact that out of the 90,000 IP addresses that are connected to our network.

Bill Russell: I was talking to somebody yesterday, in fact about their experience with a significant breach that went on at their health system. And one of the points that this person made as I was talking to him was one of the hardest thing was to get the vendors on the phone. I was like, what do you mean?

It's like, well, we ha, first of all, we have a lot of them. And when you have a system-wide. Breach and outage, like you need them all to sort of be at the table. And it wasn't as easy as I thought it was going to be to say, Hey, we're having an outage, and they would provide the right resource.

All that stuff really has to be thought of ahead of time, doesn't it?

Anahi Santiago: In this tabletop exercise, we actually called Philips the support desk. And the person on the other line didn't know that we were running through a tabletop exercise. They reacted as they would, and it was a wonderful experience.

Bill Russell: well and having been in so many other industries, I think just the sheer number of vendors that I found in health.

So I'm looking at it and going, okay, I've been in manufacturing, I've been in banking, I've been, that is application sprawl. That is really not common outside of healthcare. It's amazing how many vendors we have to deal with.

They almost act like separate companies. Like just because I'm dealing with an oncology product for one name vendor, if I move over to a home health product for that same name vendor, they're completely different companies. They don't even talk to each other. And the ecosystem is expanding. I just referenced home health.

Now we are, you know, we used to have medical devices connected to our network. Now we're sending medical devices to patients' homes for remote patient, monitored for hospital, at home programs for virtual care. And so we no longer have to worry about protecting devices that are on our network. We've gotta figure out how to protect those devices when they're on somebody else's home network.

Anahi Santiago: I think the good one, so, so I think one of the best tabletop exercises that I have experienced happened recently. A couple months ago, CISA came in and led a tabletop exercise for us, and we had participation from different areas of the organization, operational. I think it has done enough tabletop exercises that we, although we will continue to learn we've gotten pretty good at it.

And what really added value to this particular tabletop exercise is we had 13 state, local and federal agencies. At the table participating in the room, physically in the room, participating in this tabletop exercise. And what we learned is that, you know, that the State Department.

Bill Russell: Yeah, I heard

the same That's wild.

Anahi Santiago: The participation of those. Local and regional agencies in helping us to understand how we could leverage them, I thought was immensely valuable.

So I would encourage everyone to include your local agencies in your tabletop exercises because in the 20 years that I've been doing this, I learned more than I have ever learned.

Bill Russell: we do learn more through the events. Like I, I love talking to people who have gone through a ransomware event and you know, because after you've gone through it, like you could do tabletop after tabletop, but after you've gone through it.

Cle. Like, we spend so much time on that. And I think one of the things that's come up over and over again is something you mentioned, which is who owns the downtime and the most common thing I hear at our meetings is it's spread out. It's spread out. Like you, you would own a piece, but each hospital, even potentially each department in that hospital.

Would own their own downtime procedures. And some of them are advanced and some of them are woefully inadequate. Like they will find out when it actually goes down, like, wow we didn't really think this through. And so that's one of the things I, that I keep hearing is we don't have like a common person.

That is really about business continuity and recovery across the operation, if you will. We have it in it, but we don't have it across the entire operation.

You know, the ability to operate without technology, and it is, it's, the steer is comprised of executive leaders across. The organization. So think in terms of the, all of the campus presidents executives in finance and compliance, in materials management, public safety, so on and so forth, and I'm leading that effort.

But this isn't gonna be a multi-week project. This is gonna be a multi-year program.

Bill Russell: Program. Right. So it's project has a start date and an end date, and a program does not. That's the distinction I make.

Anahi Santiago: Yeah.

Bill Russell: It's just ongoing, constantly updating, constantly looking at the environment. I'm gonna ask you a question.

It's put you in a a situation that you're not currently in or looking to be in, but I think it's valuable because I want to ask you about. Creating a culture of security. But I want to ask it in a different way, and that is if you were interviewing at a new health system and you're interviewing with the leaders, what are you looking to hear from them?

Anahi Santiago: The only reason I interviewed a Christiana was because I wanted to get. Interview practice oh, you

Bill Russell: liar. You interviewed 'cause it's close to the, to, to the Eagles and the Phillies.

That's why you interviewed there.

Anahi Santiago: Well, at the time I was working in at a hospital in North Philadelphia.

Bill Russell: Oh, that's even closer. I'm sorry. I didn't mean to, I didn't mean to accuse you there. I just know your love. Yeah.

Anahi Santiago: And frankly, you know, Christiana like. My current job at the time was a Subway right away.

I would want to hear that they actually understand and want to invest in cybersecurity, even if. What I heard was, we're not there yet, but we wanna get there. That to me, would be an exciting message because it would invigorate me to want to move into an organization that even if they have not adopted it, there's energy around wanting to adopt.

Bill Russell: Yeah. How are you? It's your job to get these people to do their cybersecurity stuff?

Anahi Santiago: Yes. Like literally I was being interviewed about what my skill sets were going to be to get them to drink the water. And I, after, you know, that one hour interview, I thought, no thank you. I don't want a second interview. I have no interest in working for an organization where. The interview led with that line of questioning and so.

Those are the two polar experiences. I went for one role and I've been there for 10 and a half years because it's been an incredible experience. I'm so thankful that I did not agree to a second interview with the other organization.

Bill Russell: Well, we find that in the in the 2 29 meetings. I've, it's been a while since I've led a CISO meeting.

What's the alternative? I'm like. Have a breach. I mean, seriously, like if you wanna get their attention, have a breach, and then say, this is what we were talking about. I'm like, not cause a breach, but essentially they're not gonna listen if you can't get them to listen based on what's going on in our industry.

The only thing that's gonna get 'em to listen is probably an incident.

Bill Russell: I really commend you 'cause you're one of the people who says this over and over again.

Security is patient safety. I think it's indicative of how they view patient safety. If they don't prioritize cybersecurity. And you know, I feel for the people who are in that role, but almost the best thing they can do is go somewhere else.

Anahi Santiago: I do think that, you know, and I'm very quick to say, well find another job, but I also think that we have an opportunity to truly align cybersecurity to patient safety.

Ensure that we socialize and create a culture of cybersecurity by understanding what the organization needs to accomplish and ensuring that our conversations are tied to that. And so when I started ChristianaCare, the first thing I did was. Schedule meetings with all of the executive leaders across the organization and my conversation started with, hi, my name's Anna is Santiago, I'm the new says.

So what's important to you? Like what keeps you up at night? What are. Your priorities so that I can understand how to align my cybersecurity program with what's important to the organization. I did not show up at those meetings with, here's why cybersecurity is so important, here's what you need to know.

Bill Russell: I could definitely see that. So you must be in a pretty good mood 'cause the Phillies, I think are in first place.

And the Eagles look pretty good so far. This year

Anahi Santiago: they just swept the Mets four game series and I was at three out of those four games. So, not only did I show in a good mood, but I'm surprised I'm actually coherent because the last three nights have been very late nights for me.

Bill Russell: How do you feel about the playoff run?

I'm super excited.

Bill Russell: I'm hopeful for you. The the four year NOLA deal I think was a bad deal. I know you guys love Aaron Nola, but he doesn't have four years left in him. But he might have a good playoff run left in him, or, you know, couple games.

Anahi Santiago: . He's been pretty inconsistent you know, coming off of his injury and so I don't know what we're gonna get out Oola.

I'm optimistic, but honestly, like, he's not the player that excites me. I don't have to see Ranger on the mound. Certainly little nervous about him. Little nervous about Walker. Sanchez has been giving us a good showing. It. It just we'll

Bill Russell: see. I, the interesting thing to me is both those programs, the Eagles and the Phillies.

They're willing to spend money on key talent and and they're not afraid to make hard decisions. I the Eagles was an interesting one to me 'cause they had. Oh, I forget the guy's name who took him to the playoffs and the quarterback, and then they ended up you know, moving him aside for jail and Hertz.

that was one of those decisions that was well, do we, don't we? And they just, they made the decision and clearly you know, Hertz is a great quarterback. And that was the right move. But we forget how difficult those decisions are to make leaders at the time.

The one word that I will not repeat on this call that came from my husband's mouth down in the man came that everybody heard on the Zoom call, and I think that was. The general sense across Eagle fandom at the time, and boy, do we not feel that way anymore. And I think it speaks to, you know, our leadership starting with Howie Roseman, who at one point our owner, sir, put him in a closet and sent him around the world, like demoted him and sent him around the world to study other sports organizations and their leadership and he came back a [00:30:00] different gm and I don't think anybody would second guess anything that he did at this point.

He's a magician.

Bill Russell: it is pretty amazing. And, you know, why do we spend so much time talking about sports? And because the analogies for sports and leading at a health system are pretty clear. From time to time I'll talk to CIOs and they'll say, man I have this problem, this person da.

And I, over the years I've been like, Hey, you know, coach 'em, do this. And I've been, Mr. You know, you can rehab anybody, kind of thing. And I think that is a very valid strategy. More and more recently I've just been like, how much of a problem is this? And if they say it's a big problem, like problems do not get better with age.

Ours are not nearly as clear. It would be nice if they were as clear so that we could make the decisions we need to make with more clarity. But that's what I take away from sports. Maybe it's a bad thing to take away from sports, but that's, as I sort of look at it I am marveled that the Patriots won six championships.

I'm amazed that the Steelers won four. I'm amazed, you know, I look at those and I go, all right, how did they do that? How did they create a culture over time that won over and over again?

Anahi Santiago: Do you think it's culture you know, sports or. Probably as unpredictable as healthcare, given that , your best player could be taken out with just one roll of an ankle and your season can change.

You can overcome. Many of the challenges that we're all experiencing, we're experiencing huge challenges right now when it comes to margins and when it comes to uncertainty. But if we have the right level of culture and we can have difficult conversations that allow us to overcome them, then I think we can get ahead of the mountains that are in front of us.

Bill Russell: Yeah. I wanna thank you. Thank you for your time, for I don't know, recovering from last night's game and and joining us here on a Friday morning. Really appreciate you. Thank you

If you have a conversation, that's too good not to share. Reach out. Also, check out our events on the 2 29 project.com website. Share this episode with a peer. It's how we grow our network, increase our collective knowledge and transform healthcare together. Thanks for listening. That's all for now.