This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

This episode is brought to you by Intraprise Health. Make cybersecurity a priority, not a headache. Cyberattacks put patients at risk and cost healthcare organizations millions.

But with convoluted software systems and risk and vulnerability data lost in silos, leaders know their organizations are vulnerable, and they feel little control over the safety of their patients, reputations, or bottom line. Intraprise Health brings together cybersecurity experts with over 100 years combined experience to offer a comprehensive suite of innovative software and services.

It helps leaders finally unlock a unified, human centric cybersecurity approach. With Intraprise Health, you can improve your cybersecurity posture, protect your patients, and simplify your employees lives. Visit thisweekhealth. com slash Intraprise dash health to find out more.

  Today on Keynote

(Intro)   📍 📍 protecting the data.

That's what it's about. Security's not the roadblock. That's something that was a common deflection point. I can't send this to a security team because they're going to be my roadblock. They're actually here to help you achieve the same outcomes, but in a more secure and strategic fashion

  📍 📍

My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health, where we are dedicated to transforming healthcare one connection at a time. Our keynote show is designed to share conference level value with you every week.

Now, let's jump right into the episode.

(Main) hey, welcome everyone. really glad you're here. This is definitely the webinar you've been looking for. We're about to start the short staffed and under threat. your organization managing priorities sponsored by Intraprise Health?

I'm Drex DeFord. To the audience, thanks for being here. Thanks for submitting questions. And of course, thanks to Intraprise Health and our panelists. And a quick thanks to Holly, our producer for keeping us on the straight and narrow. Let's get started with introductions. Miroslav, you want to introduce yourself?

I'm Miroslav Belote, I'm a chief information security officer for Valley Health. We are a health system, so we have a fully accredited hospital, about 385 beds or so in Bergen County, serving about 450, 000 people across 35 towns in that community. We have a Valley Medical Group, which is a group of about 100 or so practices, physician practices, and we have a home care agency that serves about 12, 000 people a year in Bergen and Passaic counties.

I've been privileged to work in healthcare for a little bit less than 30 years, started at another hospital in New Jersey with the background technology and infrastructure, and then grew into the combined CTO CISO role. And I came to Valley about five and a half years ago as a CISO. And prior to doing healthcare, I was an IT manager for a financial institution in New York City.

Wow, great background. Thanks for being on today. George, tell me a little about you and Intraprise Health.

Yeah, so I'm the CEO of Intraprise Health. I've been really I get to say 35 plus. That makes me sound experienced, but not too old. Software industry guy, really starting in software development, database architectures, worked with several high technology companies, started in healthcare just about a decade ago now.

And really been very privileged to be part of Intraprise now for two and a half, almost three years coming now. And, our real, mission, and I know we'll talk about some of this during our discussion. We started as high trust assessors with software products already for doing assessments and really felt that.

What the industry and our clients needed was what is triangulate this space between cybersecurity, risk assessments, and compliance. And how do you put that all together in the hands of a CISO like Miroslav and really understand where are things, what needs to be paid attention to? How do you collaborate with your leadership team?

How to grapple with some of these larger. Risk management problems that need scale. And how do you scale that? So that's really this automation of software and then talent and consulting kind of blends together.

There's a lot there. And like you said, we're going to, we're going to talk about a lot of this.

We, you and I talk we do Unhack the News. We do some other shows together. There's always this. thread of everything's connected to everything else when we talk about it. So I love the introduction. Thanks. Scott Mattila Scott. Tell me a little bit about your background, how you got here, and it seems every time I talk to you, you have a new job title.

So tell us

about that. It's a great thing. Yeah I've been in healthcare for 15 years now. Over 15 years, I don't know. I stopped counting. I think it's after a decade you stop counting, but you hope that you continue to go on for more decades thereafter. I'm the janitor here at Intraprise Health, not really.

You can't ask for better. So coming in, joining the team, I brought some of my experience working with large payers. Providers and small health tech startups, as well as life science organizations and bringing those challenges that I've talked to CISOs and CIOs and everybody across the security gamut to try and say, okay, how can we do this better?

And how can we solve this to make it more meaningful, more impactful, bringing it together, that's a little bit more visualized. Glad to be a part of this team. And like I said, it's been a great ride for the past two plus years. And hopefully my roles won't continue to change too much to shake things up for you there, Drex.

It's like your roles don't really change. George just keeps giving you more stuff, which I'm a fan of

that. It's an expansion opportunity, right?

Lots of third party risk challenges. Tell me about the prob when you first started doing this, there was initially the, here was the struggle, this was the problem that I was facing. When you first dug into the third party risk management program at Valley, what tell me about that. Where did you start?

I'll tell you that, I have to give credit where credit is due. My predecessor, my partner when I started at Valley, they've been doing risk assessments for a while, but they were resorted to, spreadsheets, questionnaires, things that were found on the Internet. We had short versions, long versions, depending on things.

And most questions were focused on vendors assessments of their technology architecture, connectivity, and related security controls. As our program matured we found gaps in that process. For example, not having specifics around security, not so much from the product or connectivity perspective, but more from vendors practices and their security posture and their policy perspectives as to how to deal with security.

Cyborg scoring was often subjective, based on vendors. Very often vague answers to the questionnaires, you can't really dig in. We exchanged documents back and forth. These assessments were typically done for larger software vendors, bigger deals that we had coming into the organization. So often, smaller systems and vendors did not go through the process as the other ones did.

The process of completion was, Manually intensive, very serial and mostly often, unfortunately, post acquisition or implementation of a solution. So that was a challenge. I would look at the questionnaire and wait for responses. Sometimes it took a while to get these back. Again, smaller vendors and partners.

Sometimes they had no idea what risk management was all about. Specifically around cyber security. They used outsourced tech services to deliver their services to us. And we'll talk about, third and fourth party vendors a little bit later on. But that's what we've learned and seen and we need to adjust.

and that's just the beginning of the list. I know we've talked more about this and there's a lot of stuff on your list. That's why I asked the question. Big, hairy, complicated problem. Sometimes there's paralysis that comes with that. How did you decide, like, where to start?

So a couple of events that kind of drove us to be a little bit more Rigorous around the process and put the process together first.

Believe it or not, and I don't know if anybody else had that experience during COVID for some reason legal and compliance reached out to us and IT and said, we're getting these calls from different vendors who are offering us these great deals on PPE equipment, protective equipment drugs, this and that.

How do we know that they're not from, from foreign countries? country that they're reliable and so on. So we started really going through and trying to figure out, look up the vendors, look, see what they have to offer, where they're located and started that process. So we had a lot of focus on the operational piece that we started getting involved.

Then a couple of years into my tenure at Valley, I was told, that they're building a brand new facility, a brand new hospital, which opened up this past April in Paramus as well. But a brand new facility, fully connected, quote unquote. Everybody wanted all the brand new toys. And with that comes, again, level of risk.

We have a lot of connectivity and now we need to vet not only the vendors who are doing the work and providing the services but also companies that build these things. BMS systems and other things that are now connected we need to really focus on. And we actually picked up from our legal and who said you need to go back and look at all of these.

A lot of these systems were brought in by the general contractor who had no IT background in terms of risk assessments or anything else. So we had to go back and we engaged with our partners Intraprise to, to help us along and go back and backtrack a lot of these systems and vendors and start vetting them through the process.

And again, it was a rigorous process and the organization knew how That we really needed to to do that. And of course like all of our participants probably are experiencing more outsourced than based services. And someone that create much more risky environment for us to deal with and vetting all of these vendors and products.

A lot of that really happened during COVID too, right? The decision to like we're not going to have people in the data center anymore, or not as many people on premise. And so we're going to go to more and more outsource software as a service and other things. We think we saw that across the board.

Same with you.

And like I said, those were the key things that kind of pushed our Risk assessment program in general, not just cybersecurity, but overall risk assessment program forward. And we have a lot of challenges, so we, we have to engage with our legal teams to adjust our contract language, to make sure that the new vendors know that they're accountable to us for some, responsiveness to the risk assessments, to redoing those on a periodic basis and so on.

We engage with purchasing to make sure that no purchase orders go through without having that, process of saying, yes, IT and legal looked at this and signed off on it. A lot of benefits to that, but also a lot of rigor that needs to happen. we have to educate our operational staff to follow that process, which was not an easy thing to do because, everybody has their toys, they all have their wish lists, and they say this is the best thing since life's brand and we need to have it no matter what, but we needed to Put some reins around that and some guardrails.

I hope everyone's taking good notes here because it feels like Miroslav is just raining down information on how the problem and then the solve of the problem. We can dig into a lot of that. I want to make sure I bring in the other guests. Scott, one of the things I think that we're hearing from Miroslav is that.

We think about a lot of risk. We talk about third party risk management, but a lot of it is just risk. There's a lot of risk in building new buildings or getting new software vendors or you name it, there's risk involved with everything. So you and I have talked about this integrated risk management idea.

And I like this approach. The concept has let you deep dive into a lot of other facets of this sort of risk. challenge. I've heard you and Miroslav both refer to it as like taking a holistic approach to risk management., talk more about that for me, if you would, and how you guys think about it, how you work with folks like Miroslav to get all this stuff documented and figure out how it all connects together.

Integrated risk management and, that new layer of unified risk management that we talk about too is really bringing it. All components together. To your point is, I've got third party risk, I've got You know, my assessments that I am doing, I've got vulnerabilities, how am I going to manage and control that?

And really taking the approach that we've done with our platform is to really give that capability to track those things down where, to Miroslav's point, he's got 300 assessments going on. He's got. That's just from a third party side. He's got his, internal assessments that his team is doing.

He's trying to evaluate different segments of the business from a cybersecurity perspective. Auditors

have shown up and given him a bunch of things to work on.

Exactly. Exactly. So how do you really correlate that information and say, okay, this is how I need to best present this to my leadership team.

These are what I need to triage. And the why, and, being able to identify that even down to a systematic, to an organizational level. That's the genesis of integrated risk management, unified risk management, as we call it, right? And it really is trying to figure out, okay, how do I best prioritize?

I was having the same conversation just yesterday with somebody else I've got so many things that I need to do. And it's really saying, okay, how do I take that? Make sure it's in the right areas because it's not just the, the world's on fire. No, there's pockets of fire that we need to put out and we need to do that in a methodical manner.

And so with integrated risk management, taking in those components and being able to visualize it, as well as correlate that data, is really what enables You know, the CISOs and their security teams to do that, George.

George the prioritization kind of process in the Miroslav, I want to come back to you, but I think through that there's probably things that you have to do to solve a particular problem or better cure a particular risk that's a prerequisite to other things.

All of that goes into this prioritization idea. How does that work? How do you guys help with that?

Yeah, those dependencies are important, Jack, but some of what Miroslav was hinting at earlier, and we'll ask him to really flesh this out some more, is that, the CISO is this person who has accountability for things of which they don't have full authority.

And part of the dynamic is to take the risks,

and we have this thing in the system of exceptions. The head of cardiology will never want the machine to go down and get firmware updates. I think that's a problem, but it's an exception, right? Or, we never want MFA, multi factor authentication on. These systems because the surgeons don't like it.

Every one of those things is an exception. And so part of this notion of unification and automation of those third party questionnaires and the evaluation results that Miroslav talked about is getting it in one place. All the exceptions, right?

Because you can't just make the exception and then just forget about it.

That's what you're saying. Yeah. It's

also getting the team to be more understanding of the CISO's challenge. So they can You know, with a little help from senior leadership, press a few buttons to get some of these things done Miroslav? I see him smiling.

Oh, yeah, I was going to expand on that if you don't mind, again.

Please do.

Y'all should get it. Users, typically operational users, look at IIS, especially security, as a roadblock. You guys don't want to let me do this. That's not our intent. We want to protect the organization. And that level of education and that message needs to come from senior leadership. So they need to buy into this process.

And you'd be surprised when we talk about acceptance of risk or exceptions, and you put that ownership on the operational decision maker who wants that system that's not compliant. A lot of minds change, and they slow down, and they start thinking now I own the risk, so let me rethink that a little.

Oops. That's a big piece.

And it's visible, right? The transparency part of this, of fellow execs, the board, folks across the board, being able to look at something and say, We're bearing a lot of risk in a lot of different areas. And for the CEO being able to poke at things and say, what are we doing about that?

And it's not yours, Miroslav, it's somebody else's. Super powerful. Yeah,

We put a process in place where again, if it gets to a point where again, the physician or the department head says, I need this because this is the best system that the industry offers. Fine.

Make that case to a group that we have, COO, legal counsel, CIO, and myself, CISO. Explain. We want to do business the right way. We want to care for patients in the right manner. So again, You shouldn't do that, but you need to take that risk and explain it to us and own it.

Drives that conversation on risk Scott?

That becomes more integrated into the culture,

exactly. And that's what I say is the shared accountability and ownership. It's no longer siloed. We go back and starting to change. The silo of risk is in just being a security issue. It's a shared accountability across the organization and bringing that into the, the capabilities that we have, we talk about with exceptions and even remediation, there's going to be a determination and I'm sure Miroslav, you see this is, doing those remediation plans have changed, evaluating, prioritizing those associated to, okay, are we going to accept risk?

Are we going to treat that risk? And how do we do that?

One of the things I wanted to add to that. And I think Miroslav can really walk us through this somewhat, is that, his challenge of opening this hospital, several hundred assessments, and this is where our team with the platform automated the process so the team, we collectively with them, could focus on the risks themselves.

Automated nagging. They haven't answered the questions yet. Capturing all that information in one place, not in a hundred emails you have to go read. So you have them on an auditable record, right? And Miroslav, I think about what you've done with the size of your team.

Pretty remarkable. That's where the lever was so important, how we refined it with you over time.

And you guys have a lot of help you provided to us. Again, just from, from the resource perspective. have three security specialists. We're responsible for these risk assessments, and they have plenty of other things to do, so going through all of those is a challenge, and they don't have necessarily expertise in all of the components, whether it be medical devices, clinical devices, or systems, so we rely on some outside help, and George and Scott, your organization is so neat.

Help us along and then continue to help us along with it. So

George, you and I've talked a little bit. I'm jumping off here a little bit. Maybe going down a rabbit hole. We talk a lot about artificial intelligence. I know that you you have some capabilities built into the tool now to be able to help accelerate.

This, I, I look at what you do and a lot of it is like a master project management tool. Risk. And a lot of it is just helping you document it all so that you actually have it all in one place and you can report on it and see it and share it. Some of it is also helping to cut down on the number.

It doesn't have to be the only way to solve this problem is pour more humans into it, right? Correct. AI to help with a lot of that.

Yeah, it's really flattening the effort, cost, and time curve, Drex, because, our teams working with Miroslav and other clients, we're reviewing that material and we start early in the year looking at open, chat, GPT, open AI, and these large language models, these neural networks.

And for a limited domain with a precise set of questions, they can be very helpful. But, by and large, there's obviously massive amounts of productivity that we'll be able to unleash through these things, but there's like a very intelligent ball of jello. You have to know how to ask the right question of.

And between running on Azure and Microsoft's development infrastructure and our team, we're able to, and we're releasing it basically this week, we have an agent now that can read the answers to the questionnaires. Look at the evidence and evaluate it, so that whether it's someone from our team or someone in Miroslav's team, what would have taken us ten hours of reviewing, now can happen in 30 minutes, an hour, and the system will point to the, hey, this is the evidence that I thought was shaky, look over here.

Manager by exception. Red, yellow, green, so And that's the next step function in automated leverage. And it's all about making sure that Miroslav and his team or our team supporting other clients can really get the maximum amount of really high quality work done for the least amount of time and the fastest speed.

I was just going to say it's not only just The internal aspect of that, it's enabling more responsive nature back to the third party as well, because they see that as a detriment making it easier as they're entering and providing that information that can be translated very quickly, over to Miroslav and their team to say, Hey this, I agree with that.

I don't agree with, but ultimately giving them those indicators, a lot quicker. And you're talking about 50, 60 percent reduction in that time that they have to spend working, sifting through that information.

Yeah, that makes sense. Putting yourself on the other side, one of the questions that we have in the chat right now is the question is IRM for TPRM was a great tool for the party assessing third party risk, but it's one side of the coin.

How do you tackle the burnout on the side of the vendor who has to answer a unique questionnaire or a unique process for each of their customers, right? Part of that is like you get back to them quicker. So at least they don't say, yeah, I wrote that answer, but it was like 45 days ago. And now I have to go back and remember everything that I wrote. But there's a lot of burnout on that side of the house too. George, how do you how do you think about that?

That's from our friend, Uncle Dennis. Essentially, there's this notion of shared assessments and there are a lot of gradations to that.

There's been a number of entities in the market trying to solve for this. I think where the rubber meets the road, Drex, is You have to be very careful. We, and Miroslav and I have worked on, he's been very generous about sharing the assessments he's done with other similarly situated Meditech clients, for example.

Part of the challenge is anything that the chief legal officer of a third party would want to provide at everyone can see it level is not as deep as many individual clients would want. Because are you going to allow all that detailed information out there? How do you know it's being protected? What can be done with it?

So there's a liability there are a number of other layers to that problem where current answers in the marketplace to that tend to water down the result to share it, to make it to the point of it's not almost worth sharing.

You're making it so vanilla.

Yeah. It's a little useful to you, but it doesn't necessarily answer the detailed questions that you need given your specific environment.

And there's still room for commonality there. ISO has a pretty good standard. NIST has a good standard that we use, but ultimately you look at the shared library that's, eight months old.

Are you going to rely on that when it's missing 30 of the questions that you really care about? So that's where. I think the industry has to work through more of that because that end of the problem has not been fully solved yet, but it's one that, we're paying attention to and, we're doing some curation and sharing in areas of common interest among like minded clients where we can share more depth more easily.

But it's a good question by Dennis. And it's, I think an important one. Miroslav, why don't you opine on that, because you and I have talked about this a fair amount.

I was going to say we've had this conversation for years now in terms of having this quote unquote, clearinghouse of this information that's common to everybody.

To Scott's point, I think the vendors can save tons of time when they provide that information as a packet to somebody, a clearinghouse, that everybody can get to. It doesn't have to be addressing everything, how many vulnerabilities you have, how many attacks you had against you, all that, but even the basics, what's your architecture?

How often do you do patching? And all of those things that are, should be more transparent than the, again, the private things or things that they want to keep off of the public's eye, that'll reduce their time as well. Again, the concept of this clearing clearing warehouse type of thing is something that has always been something we've talked about.

The work you all have done as a high trust assessor, I just think to myself, like, when I had a third party show up and they had a briefcase that had all the Stuff in there, we're HITRUST certified. Here's an overview of our program. Here's, that's ultimately what you're trying to figure out, right?

Miroslav is just the, I want to make sure you have a good security program and you're making progress and I don't expect you to be perfect, but you've got a program and you're making progress and I have visibility into that. That's a lot of what you're looking for right there. You ask 100 questions or 200 questions because that's not transparent out of the box.

And George and I again talked about the fact, there are other services out there that provide components of that risk assessment. You have security scorecard, you have other things that kind of grade on the level playing field that kind of grade vendors. Do we rely on that all the time?

No, because again, they don't expose a lot of the details, but at least you have a feel for where the vendor is. How mature they are in the program, all kind of risks come with it. You can deduce some things, not everything, but some things you can deduce from there.

And Drex, on this global point, I think what we're also, we're already seeing a lot of the regulatory moves in this area.

But essentially, Even in the insurance moves of this area, if you look at the typical sort of contractual relationship between a third party and a covered entity, they have their license agreement that has limitations of liability, etc. They have their BAA that then talks about Direct damages in the event of a cyber event, right?

So the insurer for the vendor is now going to be a lot wiser about, Oh what does that mean? Okay. If we're going to pay on that policy, if you are attacked, and the legal team on the part of the covered entity is going to say, Is this really enough coverage given the impact and the breadth and depth of what this third party is?

What Miroslav has been doing in getting that categorization and the impact and the relative completeness of those third parties is part of the strategic input to that kind of process and risk management.

Yeah,

and like you said,

there's definitely some regulation coming,

Scott. Yeah, I was just going to say, think about this, they're all indicators.

Every organization and healthcare is different. And we got to think about that, right? So even if that, we use those things as indicators and trying to standardize and get a gauge of what I'm likely bringing into my ecosystem. But ultimately, and Miroslav knows this and can talk a little bit more in depth about, if you're gathering that information, whether it's a high trust assessment, whether it's a SOC 2, that's a point in time.

It's not

beyond that. What if I get a report as a. individual company. And I say, okay, that SOC 2 was issued 11 months ago. A lot could have in that organization over the course of the last 11 months. Or maybe the way that I'm implementing a system is completely different than the way that, my fellow colleagues at another system are implementing it.

I've got different controls in place. So you have to take a lot of those factors into account. And, I think leveraging We call those rapid assessments that we produce is, Hey, here's a baseline of things that I really need to know before I bring you into the organization, that likelihood, right?

Great. You're going to have a high trust report, which is. A good security foundation from a program. You have a SOC too, talk to me a little bit about X, Y, Z, cause they're going to be treated different than ultimately, we have a HVAC company coming in, still there's impact based on the way that they're setting up their system.

But if I've got another third party, that's going to be providing IV pumps that are connected, as IoT across my environment, we need to make sure that is set up appropriately. And they've got the appropriate controls and safeguard that before I bring them on network. That we've got them.

And so enabling that through the varying levels of assessments, because that's the other thing too, is we talk about all these third party assessments and assessment burnout is through our software solution, Protect, you actually enable to reduce that because you're doing rapid. Or you're doing a more targeted assessment as opposed to this, full on, here's 380 questions, please answer it.

I don't know who you are, we're going to treat everybody the same, answer 380 questions. That's no longer the case. You can't do it that way. And Miroslav can talk again about the assessment types, but, everybody has to be unique in that case to reduce, again, more of that burnout and fatigue that's specific to that operating technology.

It goes back to that conversation about risk Miroslav? If this appears to be something that's well integrated into everything that we're doing, we need to ask more questions, and if not, maybe not.

And again, just jump in a little bit beyond that is, again, it's not just products and and things that we connect in our network.

It's again, if the vendor supports us remotely, if they need to get into our systems remotely. Services, not even technology. They do our billing for us. If they do chart reading or reading the DI images, that's a security risk. If they are not protected on their end, we're exposing ourselves. So we need to be a little bit thorough.

And sometimes we wind up recommending things to vendors who are not maybe as tech savvy as others and say, you know what, you should probably bring somebody in to do your patching on a regular basis or something else. Because again, that exposure. From what I believe, 90 percent of challenges and attacks originate from access control issues, not so much technology necessarily.

So access is important.

So I have another question that somebody had sent me directly earlier, and it's about corporate assessment versus product assessment, and those are, different things tell me how you define that and how you work through that and make sure that those organizations are secure technically, but they're also, Companies you really want to work with operationally too.

Yeah. And we work with with Intraprise on the product, again, different levels of assessment that Scott was talking about. Not just types of products, medical devices versus IP devices, but also again, corporate level versus product level, you GE, how many different products they have that have different infrastructures, different, everything else.

And yet they have probably a corporate level, cyber awareness program. So we want to get into those. What are their procedures? How do they handle our PHI if it gets to them? So again, different levels of assessments, different questions. We had several, our GE product vendors or providers, they have no idea what the corporate level compliance is, but we need to understand that because that spans across all of their divisions and we understand how they treat.

George,

I feel like you want to jump in on that. Actually, not about that. First, I wanted to mention something. It shouldn't go without being stated, but I actually was privileged to tour this hospital that Miroslav and his team opened right before Labor Day last year. It is amazing. You think about hospitals as old, grimy buildings have been around a long time, but this thing was reimagined.

And Eric, the CIO, was leading the tour in his hard hat. I remember that mirrors a lot. But it was really, the thinking that went into staff productivity, patient connectivity, was off the charts. It really is something. It's a special place, and everyone should try to go see it, but not as an admitted patient.

I think to this question, Miroslav is absolutely right. And this is where especially larger entities have invested in a high trust certification, but a high trust certification will apply to a system, not necessarily a company. So that's where having that mapping inside the product that we built out as Miroslav was walking through the process is important because you do want to reuse.

That kind of information, where possible, and understand sort of the provenance of the third party vendor, because that's going to have some impact on their overall security posture.

I'm reflecting back also to something that Miroslav said earlier that I wanted to ask about, a different topic, different subject during my time as a healthcare exec.

You would get folks who would show up with the I've already decided to buy this or I already bought it and they're going to be here on Wednesday. Should hardly take any work from you at all from what I'm told. But I need for this to be done like next week. This is not, everybody's laughing because everybody's seen it and lived through it.

It's not funny, but it is the world that we live in. How do you deal with that situation? How do you get ahead of it? You talked a little bit about it, but. Focus on that for a minute.

Yeah, Miroslav, walk us through that. That was a good one.

Oh, and again, I mentioned it a little earlier, when they own the risk, when the operations owns the risk, they have a different hat on.

They start thinking a little bit differently. But we do challenge them, we always, again, through education and training of managers, we say, start this process before the project gets on the board. And the things get Through the fence? Yes, they do. We address it. We do, put contract language into place and say we need to still do the risk assessment process.

We can sign on the contingency basis that we, you'll follow the process. We need to understand what the risk is. There's no such thing as, sure, bring it in, implement it, and we'll never look at it. We'll go back. It may be post case, but we will go back. We want to make sure that we can address.

Any issues with some sort of remediation plan. So do have a deficit in some component of security or whatever. We want to be able to put controls around it and let the users use a system that they believe is appropriate for them but in the right way.

So it's really a cultural thing as much as anything.

Cultural, it's awareness, and it's awareness both on the operational side, but also in terms of risk, but also on our side in terms of how do we protect the organization with this sub, I don't want to say substandard, but substandard from security perspective,

Drex, I think part of the point that we worked on with Miroslav is we ended up refining the questionnaire to a slimmed down pre assessment questionnaire that's incorporated with the automated platform early in the buying process so that, you want to get in the early stage of a buying cycle, have that be sent out because you have a lot more leverage before the contract is signed than after the contract is signed.

Those brief questionnaires, 10 12 questions, that tell us whether or not we need a broader assessment, or the risk is small, or the risk is so high that we really can't move forward.

I like that approach of not everything is the same level of risk. And I think in healthcare, we often treat because we don't define this stuff.

We don't define the level of risk. And this goes to like data that we have inside the organization. Where are the crown jewels? How do we do information, management, that kind of stuff. We have to treat everything like it's top secret, or we have to treat everything, we have to treat all of these engagements like they all have the same level of risk and they don't.

Scott, I think you were going to say something there.

No, that, that's a great point, Drex Talking about, it's protecting the data. That's what we're all here to do. It's a shared vision, not just security, IT. It's the providers too, right? They want to protect the patients in which they serve.

And we have the same ethical code. That they do. That's one thing you got to think about. I once had a CMIO, former colleague of mine Dr. Bob White, he was with me and came to my class and had my students read the oath for a provider. And same thing, protecting the data.

And it's, that's what it's about. And security's not the roadblock. Which is also an interesting point, right? That's something that was a common deflection point. I can't send this to Miroslav or to a security team because they're going to be my roadblock. They're actually an enabler. Great point.

Yeah.

Yeah.

It's, I'm trying to help you do the same thing that you do in a day to day basis and data is. I'm giving you indication of what this risk could be to us, and these are some, likelihoods, but ultimately, we're here to help you achieve the same outcomes, but in a more secure and strategic fashion.

I think that idea, too Miroslav, talk a little bit about this. Doing the work that you're doing, actually helps enable the organization to meet the mission and be successful. I think we're turning the curve on the oh, those security guys are always doing stuff to us too. I'm so glad the security guys are here because I don't know what we would do if these systems weren't available to us.

What's your feeling? How are you seeing that in your world?

Definitely. We have a lot more engagement on the front end from our operation folks. And even even if, again, if the system or vendor are not really impactful in terms of security risk, they would come and say, I need you to take a look at this, let me know if it's okay to move forward because they know at the end of the day, it's good for the organization.

And if the organization is at risk. Certainly patients and our staff is at risk.

Yeah, the staff burnout stuff is real. I'm going to go to a couple of questions from the audience. You guys okay with that? Of course. This is stuff that had been submitted. This one had been submitted before we did the webinar folks that had registered.

How does one get a vendor to own their own vulnerabilities and invest in the needed? resolution. This is something we've all been up against. We have a partner that has a challenge and you got to continue to poke them. How do you make that work?

Yeah like I said, we can't always control what the vendors know or do.

We know how they impact us, but we don't know what their back operations are and what they're capable of. And as I said earlier, I think we engage with the vendors, especially those who probably don't have a large security practice or security awareness. And we're trying to help them, we're trying to work with them.

If it's vulnerabilities, we'll say, you know what, we'll send you, instead of accessing our vulnerability system, we'll give you an Excel spreadsheet with all of your vulnerabilities. Deal with them, address them, this is what you should do, call this person, go to Microsoft for dispatch. So we do try to work with them at that level.

And you have to be accommodating. Again, some of these vendors, just because they host their product or their service in Amazon, they think we're secure and, everything is fine and dandy. A lot of times they're not. And that's purely because of their operational deficiencies or other things.

Again, we try to work with them. We facilitate calls, what we've done with Intraprise as an example just recently because we've gone through a vulnerability scan we've partnered with our scanning company to actually get the calls from our vendors if they have questions. So what does this mean?

How do I remedy the thing? So we facilitate those calls, our analysts facilitate those calls, and we hold their hand a little bit, because at the end of the day, again, the system is here. We need to protect them and secure,

it's a partnership. Everything's connected to everything else. So you gotta help them sometimes as much as they're helping you with the the application or the service.

George, I wanna go back to this high trust assessor thing. You guys are high trusts, assessors. You've been doing this for a while. Thinking about how that helped you build the program and the service that you have today. Can you talk a little bit about how that, how they're pull through on all that?

Yeah I'll take a first shot and I think Scott probably has more depth to add beyond that. But I would try and distill it the following way, Drex. HITRUST as a framework is actually very elegant. The way it's scaled, the thoroughness, the detail, the evidence evaluation, the continuing, corrective action plan mechanisms, all that.

So think about that holistically, we've tried to create, an agnostic version of that in a sense with automated scaling across every connection point. Because whether it's high trust, NIST, which is so abstract, it's almost not, you have to apply it with real expertise and your own real definition of what's level X versus Y.

Those are two ends of the spectrum, very prescriptive, not that prescriptive in a sense, but we wanted to create that mechanism to let that same thinking of. Managing risks over a life cycle, granularity, but also aggregation, and then overall leadership prioritization. That was the concept.

Yeah, I love it.

Being agile about it, right? Things change over time too. Scott?

Yeah, it's Just like HITRUST, I've been around HITRUST way too many years but, I agree with George, it's an elegant but pragmatic way for organizations to adopt a framework that, it's something that you can demonstrate growth year over year.

I think that is the lesser point that not a lot of people take great advantage of when it comes to HITRUST. They're like, hey, it's an audit. I just want to get it done. I want to demonstrate this to my clients, but actually it's a means to show, program maturity and outcomes, not just the activities that underlie and have to be achieved, right?

It's also the outcomes, the remediation, the growth. How do we do this? Who owns that? The accountability, talking about accountability externally, but internally, who owns these things and how they're applied across the organization. And that's the same mantra as we look at PROTECT as being taking those components and saying, okay, this shows you program maturity, but at a more daily scale too.

So you're taking that information and bringing that really in. And, we have a lot of high trust clients that we talked to them about this and actually it got brought up in a conversation I was having yesterday about, it's, we do this great thing, but it's a point in time and then everybody drops it, but it should be adopted.

And that's the beauty of Protect. It's really rooting it into Your DNA as we talk about, so

ongoing workflow. This is how we deal with this problem day in and day out. Exactly. I like that.

Miroslav's example, right?

Yeah. I so we're coming up on time. I'm going to ask one more question. This is a big one, Miroslav.

How does all that tie together? How does this help you get through that hard problem too?

It's a good question. We certainly from awareness and going through the processes that we put into place, we're trying to eliminate shadow IT. We don't want these departments to go out there and sign up for a web program somewhere without any controls, and now they're accessing or sharing our data.

With the vendors, change management, change control practices are improved because of, again, the patching and vulnerabilities. The big one for me, I think. If I think about it, it would be business impact analysis. I'll give you a good example. We did our first set of BIAs probably two or three years ago focusing on key systems.

Intraprise helped us along with those and we identified, went through the whole process. I think it was a pretty good assessment, but we've come to understand better is that BIAs need to be expanded not only to products and systems, but to business units. We had with Change Healthcare, for example, we did our BIAs.

Nobody talked about Change Healthcare because they don't use it, but they use components here and there. They use, billing bill payments and then other things. And now suddenly the business, the operational units, can't do their work because something else is out. And it impacts across the board.

So you can't just assess the system in the BIAs. You have to assess the operational units. So we're going to go back and start doing that. We're going to start expanding our BIAs based on the business operation departments. And then one thing that again came out of Change Healthcare is the Requirement, I don't say requirement, but desire not to put your eggs in one basket.

Don't use one vendor for everything that you do in a particular line of business. Have alternatives. Have vendors that you can go out to and spread the work so you, you're not totally out if one vendor is impacted or compromised. And that requires, again, some thought process and assessments because you don't want those vendors using the same system on the backend at the end of the day.

So you want really redundancy there. And certainly business continuity plans. Develop those on the operational level. And we've learned that we preach, practice. You can't just develop a plan. Sit back and then expect to use it, three, three years down the road without testing it or validating it.

Those are the key things that I can think of off the top of my head with respect to IoT. Disaster recovery, business continuity.

I like the business impact analysis and the the BIA, the conversation that you have with business clinical and research operators and the leaders, the managers and directors and vice presidents in those departments, it helps them become much more thoughtful.

They understand how the systems that they use impact their workflow. So they become way more concerned about. This magic just happens. They actually know what the system is, and they actually ask a lot more questions about how that system works and where it fits in their workflow, too.

Unfortunately, the change healthcare case scenario that I talked to was real to us, and it was a, it was an aha moment for our operations.

I need to really sit and think, what am I doing? What operational need and what I need to protect.

Yeah. I think a lot of people had that surprise. We are out of time. I wish I could keep going. There's so much stuff that we could cover. This has been short staffed and under threat.

How's your organization managing cybersecurity priority sponsored by Intraprise Health? Gentlemen, thanks for being here. Thanks to the audience for being a part of this. I look forward to seeing you all again on a webinar soon.

Thanks for listening to this week's keynote. If you found value, share it with a peer. It's a great chance to discuss and in some cases start a mentoring relationship. One way you can support the show is to subscribe and leave us a rating. it if you could do that. Thanks for listening. That's all for now..