This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Learn more at fortifiedhealthsecurity. com Today on Unhack the News.

Tamra Durfee: educating them about why it's important. And knowing that you're a partner. That you're not there to say no and to block them. You're there to partner with them to say, we need to implement this. How do we do it in a secure way? If you're the no person all the time, I've found that then people will go around you

. And now, this episode of Unhack the News.

Sarah Richardson: Good morning. We are so excited to be joining you from Atlanta at the SOAR Conference, which is a partnership with Bluebird Leaders and This Week Health. More importantly, we are covering Unhack the News today, because Fortified Health Security, who is one of our partners, is also a sponsor of this event.

I am grateful to be joined by both Kate and Tamara from Fortified. Good morning, ladies. Good morning so before we jump into the topic of today, which is really about the diminishing or the need for Cybersecurity workforce and how there's a huge gap, not so much in the talent gap, but the ability to get people into this field gap. What have been your impressions from the last day here at SOAR?

Tamra Durfee: I think this has been one of my favorite conferences I've ever been to.

I like that the size is smaller, and it's really more intimate, and I've been able to build some networking relationships. And I think that's important as the younger generation, we're trying to pull them into the market. And I think if we as experts and leaders can show how women in cybersecurity can enter the field and be successful, I think that sets the stage for the younger generation as examples.

What are some of the best ways we can entice people to be excited about cyber security, especially when it's a role that tends to be more fragile or at risk in some organizations due to the fact that it's a matter of when and not if?

Kate Pierce: I feel that cybersecurity is going to become a big spotlight and already is becoming a big spotlight for organizations because as we implement technology, cybersecurity has to come alongside that.

And if we don't begin slowing down maybe the pace so that we can wrap our new technology deploy it in a cyber safe way, then we're going to continue to see the need for recovery. I would like us to become more proactive and get us out in front of these cyber risks before they happen and reduce that.

Tamra Durfee: Yeah, I think, as I was talking about bringing up the next generation and how do we bridge that skills gap and get more people excited about cyber security.

Earlier, a speaker at Bluebird Leaders yesterday was talking about interns, and that's an approach I used at a hospital I worked with where we hired interns from the local college, and they were I actually follow one on LinkedIn who has gone on to a career in cyber security. So I think again as us, as leaders in cyber security, making those opportunities available.

Internship programs are a great way to introduce people into technology and into cyber security. And that was something successful that I've done at a hospital to grow that and Build that generational gap that we're seeing and promoting those resources into cyber security.

How do you start to break down that barrier a bit that says you don't have to have these huge degrees before you start your career in this space? How do you get a sense for encouraging people to enter a field before they are perfectly qualified from their perspective to do

so?

Kate Pierce: I think that we need to break down the whole mindset, the culture that we have in the U.

S. that cyber security is a man's field. And we're seeing that more and more. continue to get better generationally. We were looking at some numbers yesterday from a Women in cyber security report that was put out by ISC2 earlier this year. And it indicated like for the 55 and over, we're seeing only 13 percent of the folks in cyber security in that age be female.

Yeah, I

Tamra Durfee: think, my degree is not in cyber security, and so I think that it doesn't have to be a barrier, and I think it's, organizations recognizing that investing in potential, versus a degree on a paper, can really help them close that skill gap and that hiring gap, whether it's male or female and, Opening up opportunities and presenting those opportunities to candidates that they don't put those requirements on their job applications.

Miroslav Balote, CISO at Valley Health, will share his journey to building an integrated risk management program that automates and simplifies vendor risk. Alongside experts George Pappas and Scott Matilla from Enterprise Health, this session will cover the latest challenges and practical solutions in managing cybersecurity threats.

Don't miss this valuable conversation on protecting your organization and improving compliance without overburdening your team. You can register now at thisweekhealth. com slash cybersecurity priorities to secure your spot.

Sarah Richardson: So when

an

organization has a gap in cybersecurity staffing, we're going to call you.

What I have not heard in this conversation made me really think about it in preparation was, Adding what you're going to need from a cyber and risk perspective to that ongoing continuity of operations. And when you think about building those business cases to bring new technology into an organization that's going to require cyber support, where does that conversation plug in?

How soon and how aware does an organization need to be to make sure that's part of the conversation?

Kate Pierce: I think everyone should be aware of the increased third party risk. And when you're evaluating new digital assets for your company, cybersecurity needs to be at the table right from the very beginning.

We did a roundtable yesterday. And there was a question about like at what point in that purchasing life cycle. Are you bringing cyber to the table? What point is cybersecurity becoming part of the conversation? And there were like 35 percent that were like, after the contracts already signed and we're ready to deploy, then we think about cyber.

And then it's really too late.

Tamra Durfee: Yeah, I would agree with that. And I think it's really building a organizational culture of cybersecurity that is the key to that. Because If you have one CISO or one or two security analysts, they cannot protect an organization by themselves. And you can't just do it with your IT staff.

And educating them about why it's important. And knowing that you're a partner. That you're not there to say no and to block them. You're there to partner with them to say, Okay, we're going to implement this. We need to implement this. How do we do it in a secure way? If you're the no person all the time, I've found that then people will go around you.

But if you engage as a partner and you build that into the culture, and same thing with the contracting. You've got to partner with your contracts team and say, if you see anything that talks about software or hardware or applications, that needs to come to IT and to the security team for a review.

Sarah Richardson: It does.

You've got cyber risk, legal, compliance, IT all at the table during the contracting phase. Through the deployment of the project, you think of the success of that project and how important it is to make sure that staffing remains because so many people will think the project's live and therefore it's just out there and it takes so much to make sure that it goes right.

That's not how this works. And so as you think about preparing even some of the newer technologies coming into organizations, what are some of the things that need to be true? HITRUST, HIPAA what are you looking for most to say this is going to be secure enough to deploy into a client's environment?

Kate Pierce: You point out some great ones HITRUST, they need to be HIPAA compliant, but there's really it's beyond that. It's, you can be secure at the point you're deployed, but you need to remain secure throughout the entire life cycle that you're in the environment. I know the FDA last year indicated that any new medtech that comes into the hospital, that's getting FDA approval has to be secure by design.

Tamra Durfee: I think, having all of those is, high trust knowledge is important, but Validating that our third parties and our medical device manufacturers are actually truly needing them. It's one thing to say that you are, but that's why the third party risk, I think, is so important. And asking those questions and digging into that.

Asking, are you doing multi factor authentication for your privileged access? I have been specifically asking that question on, and every third party I've been doing an assessment on. And I've actually been surprised at how many say no. And so I think that the problem is that, they can say they meet the letter of something, but when you really drill in and ask them the hard questions and hold them accountable to it, and if you don't do it, what is your plan to get there?

Sarah Richardson: I

want to ask a logistical question for you because Talk about, okay, keep your application secure, turn on multi factor authentication.

And yet, if you are deploying a workflow for a clinician, and they don't want, That's multifactor authentication because it's disruptive in their environment. What would that conversation look like?

How do you influence an organization to make good decisions to protect the patient and protect the data?

Tamra Durfee: So I think when I've had those tough conversations again it goes back to the culture and Making sure that at the executive level of a hospital, that they understand the risks associated and that they are on your side and will back you, so that when you do have those conversations, physicians are the hard one trying to get them on MFA for remote access.

It doesn't do any good to treat a patient and send them out the door to have them involved in identity theft because at the hospital they were treated at, Their data was compromised. And so I think when you flip that on the physicians and the providers and explain that perspective that they don't think about.

It's just a different viewpoint that in cyber security we're looking at it from that way and they're not thinking of it from that perspective. I've most of the time, I have no longer gotten pushback because we're wanting to treat the whole patient and that's part of it.

Kate Pierce: And I think it's also important you talked about governance.

Your CMIO is your best friend. Yeah, exactly. Absolutely,

Sarah Richardson: and if the decision is to not use those workflows, then who's accepting the risk in the organization so that it doesn't then say, Wow, our team didn't protect us. We did, and here's the decisions that we made. That documentation trail is really important.

It also comes back to help you make better decisions for the future because there will be sometimes a small event or something that is, hey, it happened, but nobody noticed, which is our favorite type of event. And yet, because we did avoid that challenge, We still need to be thinking about how to make sure that it doesn't become something bigger next time.

There's been plenty of them. I remember there was a hospital that was a partner, they were a tertiary care center that we sent a lot of our patients to, and they had a major cyber incident. And after that, I had a lot more acceptance from our physicians in accepting the constraints within just managing those risks to our organization.

Sarah Richardson: And think about the fact that what you do at work to keep yourself safe applies to what you do at home to keep yourself safe. And so I love the fact that we [00:17:00] can start to pull forward this next generation because if you're looking about, keeping themselves safe in a completely digital world.

Today's generations are 100 percent digital. What are the best protocols? They need to be safe at home, at work, etc. And so I'm hopeful that we continue to bridge this half a million person gap and what we need just in the U. S. for cyber security and events like SOAR, where there's so many women who are really well geared to be successful in cyber security.

We think about the conversations of you. Women make the healthcare decisions in their families. They're the ones who protect the family. We are naturally wired to be excellent cybersecurity professionals.

Kate Pierce: Oh, I definitely agree. I think someone said that to me yesterday in a conversation after they spoke and I think that's, Completely true.

Sarah Richardson: organization and still be fierce in the process of also being empathetic enough to understand what it means.

Kate Pierce: This is just such an untapped potential to increase women in cyber security. And part of that is right now we are at 23 percent female security experts in healthcare. Think of that untapped potential that we can use to lessen that 500, 000 personnel gap in cyber.

It's, and I think it's just a matter of time before people begin to realize, women begin to realize and embrace Their ability to be great at being in cyber.

Sarah Richardson: Thank you for being at SOAR. Thank you for being a partner. Thank you for sponsoring the event. We know we'll all be back next year.

This has been incredible. And it sounds like we may be able to start turning it into a recruiting event for women in cyber as well. That's all for now. Thanks for listening.

Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.

As always, stay a little paranoid, and I'll see you around campus.