Ed Marx, Vugar Zeynalov From Cleveland Clinic on Security
Episode 16713th December 2019 • This Week Health: Conference • This Week Health
00:00:00 00:43:14

Share Episode


This transcription is provided by artificial intelligence. We believe in technology but understand that even the most intelligent robots can sometimes get speech recognition wrong.

 Welcome to this Weekend in Health, it influence where we discuss the influence of technology on health with the people who are making it happen. My name is Bill Russell Healthcare, CIO, coach and creator of this Weekend Health. It is set up podcasts and videos dedicated to developing the next generation of health leaders.

Today we have a great show around cybersecurity with leaders from the Cleveland Clinic. Which we're gonna get to in just a second. I want you to know that I'm out there looking for sponsors right now, and I'm, I'm pursuing sponsors that I believe in so that I can speak about them with confidence and I can recommend them to you strongly.

And, uh, today I'm excited to announce a new sponsor in Health Catalyst. Um, in the digital age, cloud computing is an essential part of more effective healthcare and precision medicine, but healthcare organizations themselves are still facing challenges. In migrating to the cloud, currently only 8% of EHR data needed for precision medicine and population health is being effectively captured and used 8%.

That's amazing. Learn how Health Catalyst data platform brings healthcare organizations the benefits of more flexible computing infrastructure in the cloud. Visit he this week, health.com/health catalyst to download a free ebook on how to accelerate your use of data in the delivery of healthcare and precision medicine.

Welcome Health Catalyst to the, uh, family of sponsors who are dedicated, dedicated to developing the next generation of health leaders. Here's our schedule for the next couple of weeks. Uh, the Friday shows will not stop. They're recorded. They will continue through the holidays and into the new year. And, uh, we have a lot of great interviews lined up for you.

Uh, plus we have two end of the year episodes, year in review and the top 10 podcasts. The year in review is just me looking at the various episodes and pulling out some of my favorite, uh, clips from that and sharing that with you. The, uh, the top 10 episode is just what it sounds like. There are top 10 episodes from this year in terms of number of listens.

I'm gonna pull out a clip from each one and we're gonna do a countdown so you'll know which is the, uh, most listened to podcast of the year. And I'm looking forward to doing that. . Now to our show that So, uh, today I'm excited to be joined by Ed Marks, CIO of C Cleveland Clinic and Vigar, I'm not gonna say your last name, we're just gonna assume like your share or Madonna, uh, chief Information Security Officer for the Cleveland Clinic as well.

Good morning, gentlemen. Welcome to the show. Hey, good morning. Thanks for having us. Good morning, bill. So, so, um, ed, you know, one of the things I appreciate about having you on the show is, uh, we end up talking a lot about life and for our, for our audience, we're gonna, we're gonna jump into the, you know, architecture, innovation and other things.

But before we do that, I'd love to hear how the, the, uh, recovery from the, uh, cancer diagnosis is going for you. Oh, it's, it's awesome. I am, uh, fully recovered, so I was very, I consider myself very fortunate that I only had cancer for 45 days between . Time of discovery and time of, uh, lab results proving that the cancer was gone.

So I'm very thankful in terms of, uh, the physical recovery. I'm back racing again. So in the last, uh, few weeks I've raced multiple 10 Ks, which is a good barometer for my overall speed as a do athlete. And, uh, I podium finished and all of 'em in the last two took first place. So, um, very happy with the recovery so far.

So. That's, that's, that's fantastic. And you, you still have like a minute to drop off your time if I'm following your social media correctly. Yeah, yeah, that's right. So normally I'm about a six and a half minute miler to be competitive. I've gotten down to seven and a half over a 10 KI can go a lot faster, obviously on a shorter uh, run, but for 10 K, that's, that's where I am today and I need to get to six and a half by end of the year, so I'm on track to do it, man.

That's fantastic. So has, has your time as a patient influenced your thinking as ACIO at all? Yeah, certainly. It reinforced many aspects. You know, where we are all big believers in digital transformation, digital technology. It's really these technologies that. Not only helped save my life, but enabled, uh, me to return to the quality of life very quickly.

I can't imagine not having it. That's why I believe we have a moral and ethical responsibility to ensure that all that we do as it professionals, security as vendors, everything, um, we have this responsibility to ensure that this same capability is available to everyone across the world. It is. I mean, you can, we have the tools today, so it's really important that we all be, are passionate about this and get, get this job going first in our organizations and then in our communities and beyond.

Yeah. No, that's fantastic. Uh, Vigar, you're gonna be probably new to our audience, so can you give us a little bit of your, your background and what you're doing at the, uh, at the clinic? Sure, bill. So I've been in cyber for 27 years now, probably as long as the industry existed. I worked with the US government and native in Europe.

Um, financial institutions, Canada and the US helped them to stand up their security programs. For the past 12 years, I was in healthcare, uh, with payers, um, medical device, manufacturing, and now providers are the next frontier. And if you think of my career, it evolved almost like cyber evolved from government to finance, to payers, uh, pharma, and now providers.

Wow. Well that's exciting. So today we're gonna, you know, we're going to dive into cybersecurity and other things, but I, I think how I'm gonna do it is, uh, we're gonna really look at four, four topics, strategy, architecture, operations, and innovation. And I think you guys have done a ton of work over the last two years in each one of those areas.

And, um, so let me just start by, if you were gonna put those in order. You're coming into a new organization, so strategy, architecture, operations, innovation. What, what order would you address them as you come into an organization? Either, either one of you guys? Now I'll have, this is perfect for Vigar because he came into the organization with this fantastic background and there was really no security organization when he stepped in.

So he is best to speak to this 'cause he actually came in and had to go through that thought process that you just talked about and that ordering. So Vigar, why don't you share, you know, a little bit about that journey, you know, bill, all these fantastic organizations I had the privilege to serve. Um, I have to say that this is probably the most challenging role I had.

And here's why. Uh, all these great institutions, they had all the important things in the world. They had their finances, they had their pri uh, their, their brand reputation, uh, intellectual property. And Cleveland Clinic has all that too, when you look at the cyber, uh, landscape. But on top of that, we also have patient safety with hundreds of thousands of medical devices.

Yep. Patient privacy. I people come here at the most vulnerable time of their lives and on top of everything else, if something happens to their data, it, it's, it's a devastating experience. And then things like virus outbreak in all the other industries means you can process transactions, you can process claims, which is really, really bad for us.

It means babies in NICUs, people in coma. Loved ones storming the hospitals, trying to find out what's going on, if the, the network is down or the phone system is down. So the impact is amplified by the nature of what the institution does on the, on the other side. Um, admittedly, provider industry is behind, uh, government and, and payers, and.

And that creates, it's almost like economy of crime if you have high value assets. And right now healthcare information is probably the most valuable in the black market. Yeah. And then your defenses are, um, not up on par. That, that's the economy of crime. That's why you see this proliferation of healthcare breaches.

So speaking of what's, what's, what's, uh, where this, where to start. Um, when I came in. Prepared. My a hundred day plan was planning to do what, what I was trained over the years come do strategic strategy development, current state, future state. But what I learned really quickly is that our first, because we're behind and if we do everything the way we've done before, we'll never catch up by definition.

Yep. Second, it's almost like a lot of my common practices that I learned over the years were challenged in lieu of some common sense. For instance, um, there was no reason to learn something we already knew, like we had some cyber hy issues that we had to focus on. So the very first thing we did is focus on stopping the bleeding, addressing some, uh.

Easy. Easy to tackle issues. And then the way we communicated to the organization just to get the message across, we focused on diagnosis, right? To understand where our risks and weaknesses are, and put together a treatment plan which defined our path forward. You know, that was my experience coming in as ACIO.

Um, I was named an interim CIO, and then the following week we had a breach. And so I mean, it, it, it's, you know, it gives you the sort of the, the, the thing where you're sitting there going, okay, we're gonna put together a good strategy and then we're gonna put together governance, and then we're gonna put together education, training and all these other things.

But at the end of the day, as Mike Tyson says, you know, you, you could have your plan until you get punched in the, in the nose and you got punched in the nose. Seven days after I took in, I took over as interim. You realize that, you know, we, we are gonna do the strategy, but we've gotta, we've gotta make sure our systems and our processes and our, uh, processes and our architecture, we have to make sure all those things are sound today.

So there is almost a, you know, start bailing the water out of the, out of the boat, also patch the boat and do all those things at the same time. What, so what have you found to be the most effective process for setting strategy? The, the cybersecurity strategy? For a, a system of, of this magnitude? Well, the very first thing we did, and we had similar experience to what you're describing, is I took my entire team to the, through the, what we call journey of the patient.

We visited every single facility and we went from admission to discharge with my team. Wow. At the same time I went and, uh, met with all the key leaders within the organization with a very, uh, humble message. This is a very humbling place. We get to work with the best of the best of their field. So my message was, help me, help me understand because if, if, if we understand this is a green field, we can focus on the areas that are most important to you.

Second, if we understand and, and heaven forbid something happens, then we can make better decision for the organization. It's like if, if they know their patient, they can rush them to the operating room versus doing all the diagnosis. Yeah. And finally I ask for forgiveness. I told them if there is one thing we guarantee is that things are not going to be smooth.

And when, when it, when they do, when things happen, we want to have a relationship in place so they can pick up the phone and call. Um. Because this is, this is new to the organization. And then looking at the size and complexity of this, uh, organization and what we do is, uh, rolling out cyber program here was, was, was quite a challenge.

So we started with understanding and uh, through that experience, actually I got the best wisdom you can think of. , they were very open, very uh, forthcoming with some thoughts of what's the best way to communicate, uh, cyber to physicians. Because you think about it, they have a lives of people on their hands.

Yeah. And here I am talking about bits and bytes to how do you bring the world of bits and bytes to the world of saving lives? And some of these experiences you're describing that, that helped us quite a bit because those two lives, two, those two, those two worlds are coming together. Um, so the, the way we constructed the strategy, yeah.

We, we followed the standard strategic development process, current state assessment, future state, target, state, uh, gap analysis, all that. But the key was the way to convey to the organization using, uh, using the language that our physicians are familiar with and they can understand and appreciate and connect with.

Yeah. So, so Ed, all this work is going on. I assume you have so many tasks that you're, you're trusting, uh, Vigar to really run this thing. But how, how do you support him in this? How do you come alongside of him as the, as the CIO? Well, we are in lockstep together on everything. In fact, we report up together to the board of directors, so our audit committee specifically on all things cybersecurity.

So that they understand that this is our top priority is to ensure the safety of all of our information data for the reasons that Lugar mentioned. So that's one way is to be very visible with them. Whenever we have to do anything that causes a lot of organizational change. And you imagine with going from a no cyber program to a very robust cyber program, there's significant change and change management required.

So Lugar and I always typically present together. So again, it's showing that in-person support, I have vigar provide routine updates to our executive team. Because rather than have me talk about it, I want them to hear directly from Lugar and know who he is. And like you said, when he first arrived, he did an excellent job of developing relationships and communicating.

So we wanna have that relationship continue. So it's constantly promoting what he's doing, giving him visibility, showing my direct support. And then maybe the final thing is really ensuring appropriate funding. So like everywhere else we deal with budget, cri, you know, stuff and prioritization and it's really critical that cyber receive the funding that it requires.

And so it's really making sure that we get everything that he needs for the cyber program to be successful. So those are probably the three big areas that I show support. Yeah, that makes sense. So vigar, they now, how important is system and data architecture in maintaining a, a strong security posture?

Well, if there are two things that significantly impact the cost of cyber defenses would be lack of standardization. Because if you have standard systems, we can put all the security protections and roll it out. Yeah. And the second is lack of data governance. I mean, people compare data to crown jewels.

Imagine the Queen of England walking around and throwing her jewels on every bed and expecting a secret service to protect. Who would know where the data is, where the, just like she stores all her crown jewels in this, uh, locked room with laser beams, we can do the same thing. We know how to protect data.

The challenges, especially in the academic research center, data is everywhere and it's on the move. So those are the two biggest challenges we have. And strategy and architecture, um, are, they're, you think about it, it's a quality discipline, just like cyber. So having structured architect architecture process that defines where we want to be as an organization, having structured, structured engineering process that helps us to build systems and build, uh, capabilities that are, um, have all the controls and all the protections and everything else in place, and then, uh, discipline, operation, they're all contributing to one goal, quality, quality of the systems and cyber.

Is helping to enhance that quality because if it's not there, that cost of poor quality tips into operation and causes outages, causes, uh, breaches, causes, uh, all these quality issues that we observe. So how, how does security get integrated into governance? So one of the problems I found, and you, you touched on it, was, was lack of standards.

So we had, uh, 800 some applications at our health system and, uh, and new ones coming in like that, it didn't even know about that were just sort of popping in. And so one of the first things we had to do was, was get in front of governance and, uh. And, and, but then we had to insert a whole new set of secur, uh, security framework within government governance in order to make sure that these things, um, were, were not going to expose the organization or the data in any way.

And so beyond the, the normal checklist, which has now sort of become a. Uh, almost comical, you know, Hey, let's make sure this application is secure. And then you get this 14 page document and you check all the boxes and then somebody goes, yeah, it's secure. Hey, we're good to go. Um, you know, how are we integrating, uh, security into the governance process?

You wanna speak about the governance process before I mentioned about how we plug in security into it? Yeah. So as I mentioned, like from the very top, this is. Endorsed by our CEO, the whole, our cyber program and how important it is and critical it is. And that really sets the tone, I think, for all of governance.

And then getting down to the specifics that, you know, operationally that Lugar will speak about. And then it reports down through the board and we provide these routine updates and then it just becomes, when it comes to the IT level, we, we sort of split the responsibility between . It. So myself as well as our Chief compliance officer who oversee, has compliance and audit and he report, he doesn't report to the CEO, he reports directly to the board.

So because of these multiple channels, one direct to the board, one indirect through a subcommittee of the board, it ensures that we have visibility and support from the very top of our organization. So it's very top of mind in terms of the overall sort of structure in governance. In terms of the specifics, you can talk about the specifics in some of that.

Sure. Well, a actually, vigar before we get, so Ed, where does, where does architecture, uh, the architecture of the environment really reside within it? Is that in the, in, in the hands of ACTO or is that some other place within somebody who's looking at the whole thing saying, okay, we've, we've made sure that this, uh, not, not only security, but also, uh, interoperability integration.

Um, all those things. I, I, is there somebody looking at that or is that sort of distributed? It's, it's, it's somewhat distributed, but in terms of the architecture, if I'm to ask, this is funny because this is a current conversation that we have. If I were to ask for, I wanna see the drawings, the actual drawings of our architecture, how we architect the network, how we architect unified communications, how we architect all the interoperability, so our go-to, so we're, we're organized by domains.

We're an agile company as it, and, um, so that is in our, what we now call, uh, digital health domain. And if within that is the infrastructure piece. And so it's carried out in that function. So it's a lot of, you know, 'cause that's where infra, as I mentioned, infrastructure and our CTO is. So a lot of that resides at that level.

And then from a clinical applications, uh, that all reports up to the same domain. So a lot of that is in that domain. Now there's some architecture that is in some of the other domains, so it's a little bit distributed, but I would say 80% of it is within our digital health domain. Great. So vigar the, uh, integrating security into the governance process, how, how have you done that?

So, so from reporting perspective, just like Ed outlined, I have dual reporting relationship. I report to Ed, uh, as ACIO and through him to the CEO. And I also report to the chief integrity officer who is in charge of compliance and internal audit, and he reports directly to the board. So that's the reporting structure.

Yeah. Um, as we started, we established the governance console. We call, we have two tiered governance, console executive cybersecurity governance console made of ed's peers. And then the management, uh, governance console, which is the step downs, which is the operational arm of it. So if I'm a physician and I come up with a new app that I'm like, Hey, just went to himss, have this great thing, it's gonna help us in the area of oncology.

I wanna bring it in. I go to, uh, how does it, how does it filter up to those groups? Sure. So, um, we also, since Ed's arrival, we started putting together a structured IT intake process. So the idea is we don't wanna create a separate cybersecurity intake process and then separate its intake process. We wanted to consolidate it, uh, all under a single.

Uh, entry point to the organization. So if, if someone wants to add any new application, new system, or anything else into our environment, have to go for a structured it, uh, intake process. And cybersecurity is plugged into it from the inception. So during the ideation phase. And what we've done, we transformed our organization from where it was.

It was a set of disjointed cyber functions and in every project you would have seven people from cyber, some from identities, others from network security and so on and forth. We consolidated that and, and, and exposed that through a series of services. We have an advisory function, just like major consulting companies do, if you will.

So there's a cyber, um, organization that builds all that awesomeness and there is an, uh, advisory team that diffuses it to the rest of the organization and single point of accountability. Um, and it has set of cybersecurity architects that, um, act as a conduit, uh, making it easier. So rather than you are getting 600 questions right from the beginning, from the inception, you would have a cybersecurity architect.

Assigned to whatever domain that application is coming from. That individual will represent. All the cyber functions help you to plug in security right from the inception into the search. Because every thing we do, every time we put security during the requirement phase, it's gonna cost us a dollar if we wait until the implementation is gonna cost us a hundred bucks.

And if we don't do it at all, it's gonna spill into production as a cost. Cost of poor quality. Yeah. So that simplifies, that simplifies it for our customers. Uh, the engagement process and then moving into that service delivery model. It simplifies things for us as well because it streamlines our processes, makes it, uh, consistent to the organization so they know what to expect.

And then overall, the customer services increase. Great. So, um, so I'm gonna jump to operations. This is where the sort of, the rubber meets the road here. And then I, I wanna close on innovation. Uh, I, it would be remiss of me not to talk to you guys about innovation given, uh, where you, uh, where you work and what you guys are doing.

But let's talk about operations. So security breaches. We know most of 'em are caused by people, either, uh, our users or even our administrators, um, not following processes and those kind of things. How, how can a health system minimize that exposure? The exposure of the people, or, I guess that's the question.

How, how can a health system minimize that exposure? Right. So this is a, so let me peel that off into several, um, kind of sub sub areas. First of all, um. Having this consistent security protections across the environment, and it starts on the operational side. It starts with having consistent data. So if we would have good asset inventory and we would know what our cybersecurity protections are deployed across our environment and make sure they consistently applied.

Obviously that, and, and that applies to everything, right? So from, um, things like antivirus and all the way to patch management and other backup and other essential controls that you have to have in place, that's one of, and that to do that we actually build a fairly robust data. Um, um, the metrics console.

Where we have feeding from all our security tools and IT tools feeding into a centralized like data lake, if you will, and delivering set of consistent metrics, um, to, I, I identify these vari variations from the standards and chase them. The second aspect that you outlined is privileged user management.

And you're right, that's one of the biggest challenges, um, is locking down privileged acts. And you can imagine the size and complexity of this Environ will have like. Tens, thousands of systems and applications and and so on and so forth. So we started a privilege management program first with introducing an ability for us to control that.

So, so we can vault people's passwords and they can go through a consistent way of accessing their systems and we can record what they're doing while they're accessing. And then the second one is streamlining and trimming it down to the acceptable level. It's a multi-year investment. Uh, given our size and complexity that's we're embarking right now.

Yeah. So Ed, uh, ed, I want to sort of ask you, you know, when you come into a new health system, regardless, um, most CIOs I know who've come into even, uh, well-functioning health systems, um, identify, uh, operational gaps right out of the chute. How do you drive, uh, a, a culture of operational excellence within it?

And I assume you put together some program or, or went after that was probably one of the first things you went after, I would assume. You definitely need to do that assessment pretty quick. You're obviously brought in. If you're brought in externally, there's probably a pretty good reason why. And I think a lot of times it has to do with the fact that there are gaps.

So it's quickly, you know, ascertain what the gaps are and then building your team to help address the gaps. 'cause you're not gonna do it by yourself, not successfully. Yes. So, you know, you, you identify those gaps. Build a team that can help you fill the gaps and then, you know, develop the plans, ensure alignment.

Start taking action and execute. Obviously these are not serial, they can be done. Uh, some of these can be done simultaneously. So it's just really hiring great people. I was so fortunate to have Vigar as part of the team. He actually, uh, came here a couple of months before my arrival and had already did exactly that, see the gap.

Develop a team, develop a plan, and start to execute on the gap. The, the other couple things we've done, bill, that I may have mentioned in the past is we went completely agile. So as we got the right people in the right spots, we developed this agile culture and philosophy and way of work, so we completely changed the way we work.

That was one thing, so that helped us become much more customer centric. Much increased speed to delivery and those sorts of things. The second thing we did is we adopted ITSM, which is like best practices for how you do it across all industries, and we made it a matter of employment, so everyone who existed had one year to get the training, which we provided, and then the testing to pass.

Any new hires have six months. To get the training and pass the test. And so that's happened, uh, a few months ago where everyone that one year, uh, expired and now we operate in best practice for it. Let me show you one quick example. Hold on. I rarely have paper . It's probably not gonna work on the camera, but what this shows is our serious safety events.

So you see, this is January, September. The first time ever recorded history. We had no serious safety events. VAR mentioned earlier that we use the vernacular of the, of our business, which is clinical, so we call 'em serious safety events in it TSM or in most it shops, you would call it major incident. So we had zero major incidents in September, first time ever, and then you couldn't see it very well, probably from the graph, but we had four or five months of just one.

One's too many, but one is much better than what we used to be. So our objective key result back in January, that's how we measure ourselves, is through OKRs. As an entire organization, that's how we ensure organizational alignment. ACEO has OKRs and they roll all the way down to the individual level.

Anyways, our ours said 50% reduction in serious safety events, and people said impossible. In fact, I was a little bit doubtful. We're on track, so I rarely have paper, but I had to tape this in my office. I was so proud of the team for achieving that. So that's a long-winded answer to your question, but that's, that's how you go about achieving operational excellence is by focusing, you know, hiring the right people, the gaps, the plan, and executing and focusing on the right things, and then measuring it and being transparent about it, and then holding people accountable.

So again, I know this isn't about your question now, and I'm gonna kind kind of go off, off tangent, but what we do, just like our organization, when there's a serious safety event, I'm involved in all of 'em as a member of the executive team. And people are held accountable. They come to our team meetings and they explain what happened, what they're doing, what the root cause was, what we're doing to make sure it never happens again.

We do the exact same thing in it. So the whoever's responsible for that serious safety event, it's not meant to be punitive, it's meant to be learning. They come, they explain what happened, what they're gonna do to make sure it never happens again. And then we hold people accountable. They should never show up twice for the same reason.

The other thing is you celebrate it. I mean, you have that chart for a reason and it's probably posted in your, in your office, so that anybody who comes in realizes, Hey, you know, this is a metric that really matters to the executive team from the CEO all the way down. Uh, it should matter within the organization.

So you celebrate it, you highlight it, you keep it in, in the forefront, and, uh, and, and all that builds that culture. So it's, it's all those things you said and it's, uh, continuing to elevate it. And that is not, that's not always easy. 'cause I'm sure Ed, you're getting pulled in a thousand different directions.

Oh yeah. It's, it's very difficult. We're a large, complex organization, but it really is a testimony to our great team. I don't mean just it, although we do have, we have started to put together a pretty amazing team. But everyone in our organization works as a team of teams philosophy. So it's working closely with nursing, with medical staff, uh, with finance, with supply chain.

Everyone working together helps achieve goals like this. All right, last, last five to eight minutes here. So I want, I want to hit on innovation, so. This is a topic everybody wants to talk about, but you know, it's important to talk about security and operations and architecture because innovation rides on top of that.

So, uh, digital innovation, digital transformation. Where are you seeing the most movement in this area, either within IT or within healthcare as a whole? And, and I'd love to hear from both of you on this. Yeah, I'll, I. I'll let Vigar talk first 'cause I would love Vigar if you spoke about the GSS O CS shock, which, we'll, which you'll explain what that is.

'cause that's highly innovative, I believe first in the world. So I think innovation, especially in the world of cyber, which typically perceived being no naysayers, uh, innovation starts with, um, being innovative within cyber itself. So we've been pushing the boundary, like as I said, if, if we would do things the way that we've done before, we will never catch up.

So we we're looking into ways to leapfrog in the future. And the only advantage of being behind is that you can learn from strengths and weaknesses of others. Yeah. But having done this multiple times. Um, the, the, there were a couple of things we're doing very, very differently. First, moving our entire organization to Agile.

Just having the entire cybersecurity organization, including our operational capabilities, running in Agile and moving away from large scale projects. Here's why it's relevant. Uh, if you think of our adversaries, most of them, well, excluding nation states, they may not have better tools or even better funding that we are, we, we do.

They're just more agile, more nimble. They, they, they're very focused on what they do, whereby, uh. Cyber takes its cues from a structured, IT processes around planning and discipline, right? Um, something emerges. New technique emerges on the cyber world. It takes us years to go through the, uh, approval and adoption cycle before we can put some protections in place.

Being agile and nimble and having these product teams that have a very, very clear mission, it's almost the same as moving from a traditional law forces battling. Insurgents to set up special forces that have very clear mission. They have all the funding pushed down to the product level, and they can make decisions, uh, fast and in a nimble way.

It allowed us, for example, in an environment like this, deploy some protections to, uh, 70,000 assets within three months from inception to fully, fully completed because there's no like, watch. Coordination effort that's required. Other things that we do very differently, uh, we are moving into cloud before anyone else does.

So we're moving on type perimeter into the cloud. We also established our cybersecurity operations center, um, co-located at, with what we call Global Security Operations Center. We're physical intelligence from our protective services organization and digital intelligence coming together and operating together.

I think this is pretty. Pretty new to the industry. Yeah, I think that might be first, first in the world. We're sort of checking that out, so that's really important because we do have a GS o Geo, uh, global operation center because of our, we're a global company, so we have assets around the globe, and so it's, but marrying the two together, because those, those lines have become blurred.

So it's, it's pretty, it's very innovative and of course we do all the innovative things you would suspect I was in a . Uh, surgery yesterday. So I, I work, I think I mentioned to you before on Wednesdays I spent about 10% of my time working in the OR now. And, uh, so I'm at anesthesia tech and I was, uh, assigned to the surgery yesterday.

And it was a very complex case and part of the issue was just the breathing airway for this particular patient. And so we took all the imaging that you would normally have with, you know, three d imaging from, from, uh, radiology, from our imaging institute, and then we created a three D model. So with that three D model, we actually knew the exact structure of the canals and the bronchi, uh, to where the tubes would go and to, to fix this airway.

and 'cause it was a very unique structure, which, uh, was very pro, potentially problematic. So with that, we could actually perfectly measure things and know what kind of scope, what size of scope to use, what length of scope, all these different things that otherwise we would've been ex people normally in the past would've perhaps experimented, you know, why you're working with your patient.

But we knew ahead of time because of this innovation. So that's just one example and I, it is so much fun 'cause I actually get to be part of it and, uh, be part of that patient care process. We have so many. That was the, just the first that jumped into my mind, you know? And, and, and actually I'm gonna, I'm gonna ask you after this last question, I'm gonna ask you to, to, you know, how can people follow you and that kind of stuff.

'cause um, you know, you hit on, uh, agile within the environment. You hit on the, uh, the innovation within security. And I know you guys are doing just a ton of clinical. Innovations that, uh, that people have access to and that you, you guys are, are very, uh, open in sharing. So, but the last question I want to get to before we come back to how people can follow you or learn more about this stuff is if you were to leave the clinic today, and I've been asking a bunch of people this, um, and you, you were going to do a startup.

So I, I'm gonna, I'm gonna give you a couple million bucks to get do your startup. What area would you choose to innovate and, and, and, and what, what, what might that look like? So for me it would be, again, we, so at the Cleveland Clinic, we wanna double the number of lives touch, and the only way, while we grow through m and a, the only way to really do that effectively is through virtual.

up our hospital in London in:

And uh, so we're, we're making steps planning that direction. Now take that a little bit further and what if you were in remote, you know, I have a medical clinic I think you know about in Tanzania, and so what if those patients there, we could also do high acuity care for those patients somewhere re remote where they don't.

Where they, they have the very only, the very, very basics you can't even imagine. Uh, but what if we could provide world-class healthcare to individuals in that village that I would, that's what I would invest in. I think we're getting very close to being able to do some pretty amazing things. Even our app, our, our patient app, our first ever comes out, our first ever.

In terms of the type of functionality, uh, that you would expect. From a world-class organization comes, actually came out today, but internally, we'll, soft launch, we'll have a hard launch probably in a, in a couple of weeks. But even that in the future we'll have, uh, capability to do virtual reality. So you actually interact with your clinician.

Uh. Looking at your own body based on images and kind of walking through it and looking, oh, you had a, you have a left meniscus tear in your knee, so uh, here's what it looks like. And you kind of walk around. I mean, that's so cool. And then you can visualize, be more engaged and then, you know, to, to the extent we could do more therapies and all that kinda stuff.

So that's what I would do. What about you? You know, if we're talking about cyber, one of the biggest challenge the cyber industry has is communicating value. Communicating value to, to our business and our clinical leaders. It's, it's been a, it's been a always a challenge, right? How do you present?

Actionable intelligence back first for decision making. Second for, for validation seen because, uh, typically, uh, clinical leaders view security as, as, as an insurance almost, right? So let's, let's make sure nothing bad happens in reality, there is so much more, right? Like that you little yellow lock. That you see in, in your browser, it's enabled what we today call e-commerce.

There's a lot of enablement that comes from security, and I think, uh, we, we are lacking, and this is everything from, from nomenclature to ability to communicate things with facts and numbers, communicate the value back to, to the business leaders. Yeah, I can see that. So, uh, you know, guys, thanks for coming on the show.

Uh, how not only how can people follow you, but how can they learn. From your experience from the Cleveland Clinic? Well, I think the best way is just whether it's on Twitter or LinkedIn, is follow the Cleveland Clinic because that I do that. That's how I learn, Hey, I didn't realize we did that , or, oh, we do that so we can apply some technology to that and make it even better.

So the Cleveland Clinic has all sorts of, you know, probably like three or four different channels within each of those, you know, LinkedIn and Twitter that I follow all of 'em and that's where you find the best stuff. And sometimes they'll include cyber. You were recently, Vigar was recently featured on cyber and every once in a while some, some of the things that come out of my digital health team.

So that's probably the best place. The 'cause the clinic is much, is an amazing organization with, I think you mentioned earlier, very brilliant people, much . I, we just feel honored to be a small, small piece of it. And so anything decent that we do that people might be interested, maybe picked up by by the larger organization.

So that's definitely the best place. I agree. We're both on LinkedIn and post some things here and there, but. I, I would say the Cleveland Clinic. Yeah. And I've been reading your articles. They make their way onto health system CIO as well, which is a great place to, uh, uh, I mean, you shared almost your entire cancer journey, uh, in, in articles.

I, I can't believe you have time to write. I don't know when you're doing all this. Well, the, the coolest thing though, if I can say this, is that, uh, 12 individuals, 12 men. Uh, who responded to me based on those articles, went and got their testing done their PSA test and had cancer and were treated. Wow. So that's the best part of the, the journey.

And then I actually visited with one, I won't mention any names of course, but, uh, we drove out 'cause they were only a couple hours away from where we live and we drove out with them, uh, right before they had surgery. And then af, you know, uh, uh, continued that communication and they're cancer free today.

So that, that was the best part about sharing the journey. It takes a little bit of time, but man, we gotta share our, our, every, all of us, we go through pain in life and we go through pain as CIOs and all good things too. But sometimes it's the pain in the journey that's most beneficial for other people to learn from, and you can help 'em and help stabilize.

Well, I, I appreciate you guys doing the show. I appreciate you coming on and, and being able to focus on, uh, cybersecurity and at a, a future date. I would, I would love to go through that entire journey and just help to get the word out, uh, to, to our audience. And, uh, I, I, I, I really appreciate what you guys are doing, uh, and innovating in this area.

It's fantastic. So, um. Alright, uh, so please come back every Friday for more great interviews with influencers. And don't forget, every Tuesday we take a look at the news that's impacting health it. This shows production of this week in Health It. For more great content, check out the website this week, health.com.

That's all for now. Thanks for listening.



More from YouTube