This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

UnHack (the Podcast): Zero Trust and the Identity Perimeter with Mary Dickerson and Gordon Groschl

Gordon Groschl: for every bone density analysis that we're doing, it used to take 20 minutes. So now three minutes, that means we're saving 17 minutes that the radiologist and can spend on much more productive and even more important, you know, readings.

Drex DeFord: I'm Drex Deford, president of Cybersecurity and Risk at this Week, health in the 2 29 Project. Our mission is healthcare transformation powered by community. Welcome to UnHack, where we navigate healthcare security challenges together because cyber safety is patient safety.

Let's get started. Hey everyone, it's Drex. Welcome to UNH hacked podcast. Always exciting to have amazing guests with me today.

Today I've got Gordon and Mary. And Gordon, why don't you start, introduce yourself. Tell us a little bit about your background. Yeah,

Also have responsibility over healthcare technology management. That's other organizations called Biomeds, a pretty large team, and been in healthcare now almost 20 years. And before then I was 10 years in telecommunications and a few years in the Austrian military. And I'm excited to be here and chat about cybersecurity.

Drex DeFord: You have one of the coolest backgrounds, and then to hear the story about how you wound up getting into Texas Children's and the work you've done there it's just been nothing short of Awesome. You've actually you were promoted to the CSO role just in the last year or so.

How long has it been.

Gordon Groschl: Yeah, it's now over a year. I think I functionally have been fulfilling that role. And so they finally slept on the acronym,

Drex DeFord: time flies when you're having fun. It has been over a year. Yes. Hi Mary. Why don't you introduce yourself or everyone who's listening.

Mary Dickerson: Great, thanks.

School of behavioral health and sciences, and we also have a school of biomedical informatics. So we have everything that ranges throughout healthcare and again, on the academic and research side as well. I've been at UT Health Houston for three years. Before that I was 25 years at the University of Houston system, where they also have academics and research and healthcare as their core missions.

I'm enjoying the experience. I've really enjoyed getting to know Gordon and all the great work that he's doing at Texas Children's. Slightly different missions in what we do but very much. To the same strategy as to how to go about trying to deal with it successfully. So it's been a great partnership, spending time with Gordon and learning from all of his expertise and forging a new adventure of my own.

Hey,

Drex DeFord: Gordon, you have research too, right?

Gordon Groschl: Yes. Yeah. Texas Children actually has a. Pretty I would say elaborate research arm. So we partner with Baylor College of Medicine. Those where we get all of our physicians and so many of the, I would say researchers that work at Texas Children's come from Baylor.

Drex DeFord: When I was at Seattle Children's, we had a research institute too.

One of the biggest challenges I think I ever had was trying to figure out how to operate across the hospital and the research institute. Yeah.

And helping the docs who are in the hospital and also who are researchers, be able to get to one side and the other side and do it simply, I'll start with you, Mary. What's your thinking around that? How do you try to solve that puzzle today?

Mary Dickerson: So we actually have a lot of it integrated within itself.

One of our biggest challenges right now is dealing with a lot of the federal and the state mandates that have come down regarding research security and compliance requirements. On those ends, we've always felt the understanding that research needs to be protected. Going to the links that the federal government would like us to go to with respect to foreign influence and things like that, has made it a little bit more challenging to separate the research space from the clinical space when so many of the items are integrated in their concepts.

Drex DeFord: For my time at Seattle Children's. You want that integration to happen, right? That whole, how do we get the research from the bench to the bedside as quickly as possible? Is really important. But, Mary makes a great point about a lot of these research grants come with security requirements that you have to adhere to.

Gordon Groschl: Yeah, what we did, and I think. I'm not saying it solves all the problems, but I think it solves some of our problems. We really we built out a fully compliant public cloud environment for our researchers. It's not like a Lego build kit.

Where they get access to, I would say capabilities. The data is already there. It's all secured and HIPAA compliant and compliant with C FFR 21 prior to 11 and. It allows the researchers then to do their work in that, I would say environment that is completely segregated from our operational environment and play around and, do preparatory research and, come up with look at data that would then lead to any kind of research protocol that they want to execute.

So I think this was a fundamental shift and using public cloud for that has allowed us to. Really build on a very solid and secure foundation. So they're, you get these guardrails where you say okay, I want my environment to be completely compliant. And it really accelerates the whole process.

Drex DeFord: This idea of building a structure that is. Secure but agile. So you can turn up the volume when there's new requirements. And that implies to things like m and a too. But being able to expand when you need to accommodate what the business, clinical or research leaders needs turns out to be.

Pretty critical.

Yeah. More preparation, more work. Everything gets much longer and I think it's a way of helping researchers and motivate them, right? To use the blueprint, the path that you're laying out to them versus going, their own path and everything is unique and special and therefore, have to investigate and risk assessments and security configuration.

Reviews, right? Et cetera. So building those pre approved pathways really helps, I think, accelerate researchers and when it comes to research, every, things move fast, right? And it's a much more dynamic than, let's say, patient care, where it's all about reliability, making sure the services are available, they're up the data has the right level of integrity.

The security is there, but it's all about. Fringe list access and availability in the patient care space. I would agree

So we actually have a team that they go out and individually meet with each researcher to discuss what they're doing, what they want to accomplish, and then we work with them to make sure that. Those pathways, as Gordon described, they are the fast track. They're not, every researcher has a unique snowflake, but we are making sure that as we build those pathways, we're not doing it in a vacuum.

So they want to work with this because we've built something that they agree with, that they understand and that meets their needs. I think one of the big traps that we in the information security world get is. We decide what we think the right answers are and expect that other people are just going to agree with this.

Drex DeFord: That's great when you have these conversations, some of them, I didn't mean to make this kind of all about research and the research healthcare delivery system overlap, but we've gone down this road.

So I wanna ask one more question. Mary a lot of these grants, a lot of these research projects extend across multiple institutions too. How do you handle that?

Mary Dickerson: We've had a lot of conversations with the other institutions. Just recently we're doing a collaboration with one of the major hospital systems in the medical center, and we've had direct conversations between their information security team and our team to say, okay.

This is what we're looking at. This is what the research side is saying that they want. What are your feelings on it? And so we come up with an agreement as to how the technology should work, and then we go back to the researchers saying, Hey, this is what we've come up with. Will this work for what you need?

Because when one research collaboration is successful, you get the snowball effect of, oh could we do this and could we do this? And so investing the time upfront to have those conversations, to come up with something that really is workable ends up being a good investment on everybody's part.

Drex DeFord: A couple of good lessons there, I think. Go slow to go fast.

Speaker 4: Yes.

Gordon Groschl: Agreed.

Drex DeFord: I wanna ask you another question, break from that and head in another direction. What is one of the coolest projects that you've worked on recently? And, what's the effect that it's had? What's some of the return that it's had?

It's always interesting ask this question because sometimes the answers are all over the place.

Gordon Groschl: That is a great question and I could tell you now all about the wonderful cybersecurity program things that we're doing, but I'll pick something completely different.

And. The cool thing about this is that a radiologist, typically it takes 20 minutes to do that if they do it by hand, right? If they sit there in the dark room on the big screen, right? And if they do and they draw they put this place mark like marks on the x-ray, and then measure it like in all kinds of angles.

It takes roughly 20 minutes per reading. The AI does it in under three. So think about it like for every bone density analysis that we're doing, it used to take 20 minutes. So now three minutes, that means we're saving 17 minutes that the radiologist and can spend on much more productive and even more important, readings.

And that was a really cool project and there was a lot of cybersecurity involved. And it's artificial intelligence, it's large language models, but our data scientists and our AI team, they did a phenomenal job. So it was very exciting.

Drex DeFord: I mean, it's, you know, and it's fairly easy math to do if you're giving them back 17 minutes, times, however many times they're doing this in a day or a month or, yeah. The amount of time back in their bank. Yes.

Gordon Groschl: , And at the end of the day, it's also it. It creates revenue, right? If I can do something faster then I can basically focus on other more, I would say valuable. Not only like patient care, valuable activities, but I can also generate more revenue.

And radiology is a big revenue driver for Texas Children's. So we're very excited about it.

Drex DeFord: Mary, I'm gonna ask you the same question. What's one of the coolest things you've worked on lately that you'd like to talk about?

Mary Dickerson: So I'm gonna give a totally different answer than Gordon's approach.

And so one of the things that has come up with our discussions and working with our managers and such is that. Everyone talks about identity being the new perimeter, but a lot of people are not fully integrating that into how their security operations center is working. So what we did was we had a traditional security operations team that did incident response firewalls, all the things you would typically associate.

That only does. SOC activities, but everyone else does identity and security operational task. And so by merging those teams together and refocusing the different pieces, we really have gone to identity as our perimeter. That's the first thing that we look at when. We have a potential compromised account.

That's the first thing that we look at, in our research environments to make sure we do have, things secure and such is we look at that well by positioning our team that way. We've really approached how we're handling all of our security operations in a different perspective, and that different perspective is giving us a little bit of an advantage in dealing with.

Drex DeFord: Thanks for joining on UnHack. Remember, we're not alone in this. Every healthcare leader needs a community to lean on and learn from. Join our community at this week, health.com/subscribe and share this not only with your security crew, but with your entire leadership team and staff.

Together we are stronger.