Artwork for podcast This Week Health: Community
The Real Risk in Cybersecurity: Staffing Shortages and Capable Talent
Episode 4419th July 2022 • This Week Health: Community • This Week Health
00:00:00 00:16:48

Share Episode

Shownotes

July 19: Today on TownHall Reid Stephan, VP, Chief Information Officer at St. Luke's Health System interviews Jeff Bird, System Vice President Information Security at PeaceHealth about his path to health IT and the ongoing labor shortage. What current risks and threats in the IT field keep him up at night? What is PeaceHealth doing to attract talent to help mitigate the labor shortage?

Transcripts

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Today on This Week Health.

here on the west coast, we compete against the likes of Amazon and all the other technology companies, Microsoft in our backyard.

And so we've had to look at that and say, are we really benchmarking our talent practices against not for profit healthcare? Or are we benchmarking against large technology companies? And that changes the game.

Welcome to This Week Health Community. This is TownHall a show hosted by leaders on the front lines with interviews of people making things happen in healthcare with technology. My name is Bill Russell, the creator of This Week Health, a set of channels designed to amplify great thinking to propel healthcare forward. We want to thank our show sponsors Olive, Rubrik, Trellix, Medigate and F5 in partnership with Sirius Healthcare for investing in our mission to develop the next generation of health leaders. Now onto our show.

Welcome to this week health community town hall conversation.

My name is Reid Stephan VP and CIO at St. Luke's health system in Boise, Idaho. And I'm joined today by Jeff BYD, the chief information security officer at peace health based out of Vancouver, Washington, Jeff, welcome, and thanks for making the.

Hey Reid. Good afternoon. Thanks for having me.

So I'd like to start with a question.

I always ask my guest because I think it's fascinating and instructive. Take a few minutes and just kind of share with our listeners, your education background, your career path that you follow that has led to the role you have today at peace health.

Sure. Yeah. My career path started back with an accounting degree decided that I was gonna follow in the footsteps of my dad actually, and get an accounting degree and become a CPA and sat for the CPA exam.

And as I did that, I realized that accounting was not for me. So I quickly pivoted went to work for one of the large consulting firms and started doing some it audit type work where I could blend my. And it skills mm-hmm with some audit work that then gave me a position to go start doing some security and privacy work as a consultant spent about five or six years doing it security and consulting for state and federal government agencies around the country.

And from there had an opportunity to actually do cybersecurity for a hospital. Based in Denver, Colorado, and now 10, 12 years later, I've been doing cybersecurity for healthcare. I love it. That's a great way to give back and also be involved in a, significant challenge in our communities.

Yeah, it's funny. You mentioned your accounting background and I'm not sure if I've ever shared this. We've known each other for a number of years. I was an accounting major for a period of time. And in fact, I was in my senior year of accounting and I was in a cost accounting class. And we were, I don't remember what we were talking about, but I looked around the classroom and the majority of folks were engaged excited about the content and it just hit me that this was like a labor for me.

Like this was not enjoyable. I didn't Gravitate to the subject matter. Naturally it was a force kind of activity. And I realized, man, if I don't do something, I'm gonna end up with a degree in accounting and then doing a job that is literally that a job. And so I, pivoted course switched to an information systems degree, took me an extra year to finish school, but it was worth it.

And I tell my kids all the time, find out what you like. And even if it takes you six years to get a four year degree, That investment is gonna pay dividends for decades to come. So,

yeah, I think also not thinking that whatever degree you come out with is the career you have to have. I think there are a lot of people who find their way into cybersecurity from a variety of degrees.

Yeah. A lot of them in accounting and finance, because it does lend itself to some of the deep problem solving and analysis work that we have to do. Sure. In cyber. So be open to all sorts of career path.

I think that's a great point. And that diversity is just, it creates a rich background that, benefits the entire team.

So great point. Okay. Common question for CISOs, but what keeps you up at night? Like of all the risk and the myriad of threats that are out there that you're tracking and you're worried about, is there one or a couple that are digitally pervasive in terms of the space they occupy in your brain?

Yeah. I think there's been a big wave in the last couple of years around ransomware. And so I think all those and all hospital systems think about what could the impact be of a widespread outage or disruption to operations. We've done quite a bit of work around planning for that. Here at PeaceHealth, we've spent a lot of time thinking about how do we operate without technology, if needed.

I think that's one, that's probably a big one. That's on everybody's radar. I think another one that probably people talk about, but maybe don't categorize as a risk as much is just the labor shortage. I know we're gonna talk about this in a little bit as well, but being able to understand and pull together the right skills and the right level of depth to be able to withstand a large type of incident.

If you think about some of the large, most impactful incidents that have occurred in healthcare. Some have lasted 2, 3, 4 weeks. Yeah. Having the staff skills depth as well as just stamina, to be able to stay at it for that long to respond, contain, and then recover from an incident is significant. And so, one of the things that we did here at PeaceHealth when we created our risk universe and our risk categories, is we created.

one For workforce development for that reason, knowing that if we don't have the baseline workforce to do our job, none of the other risks really matter at the end of the day, if we don't have the people and the skills to be able to deal with all the other things like ransomware, for example.

Yeah. I love that concept of kind of the business continuity angle.

so, yes, there's focus on, prevention detection. How do you then contain when you have an incident, but it's the recovery piece that oftentimes is the most painful for the whole organization. So your example of ransomware and there's, examples, last year you think about some of the stories or in the headlines of systems that dealt with this and downtime, the recovery time, wasn't like hours and days.

It was weeks and well into a month. Most hospitals and health systems would struggle to operate in a downtime mode for a couple of days, let alone a couple of weeks or a month. So thinking about that outside of the heat of an actual cyber incident is really an important exercise for all organizations to go through.

Yeah. When we did that planning, we found that there was just a lack of even the materials you would. Yeah. And so we went through a process of creating carts on wheels that will be stored in closets, near each unit. And each one of those is stocked with paper. Yeah. To do charting. How do you do printing in a downtime?

All of the things that you take for granted that you don't realize are connected. And so we did an exercise called patient tracing where once we had the base material set up, we practiced taking a patient. Through the journey of the hospital as if there was no technology. And that helped us see some of the blind spots and some of the areas where we really needed to be more prepared.

If there was not some sort of technology in place that we're used to using.

Yeah, I think that's a really smart way to approach that pragmatically and maybe kind of organically discover where you have gaps that you just wouldn't think of, unless you would do a modeling exercise like that a as you were talking I've it made me think of some conversations I've heard in the event of a ransomware or some kind of severe cyber attack.

If you had to make the decision to go dark disconnect from the internet one who has the authority to make that call does your team know how to do it quickly and effectively? And then one of the things that we've talked about and discovered is a lot of our authentication might rely on internet based traffic.

And so then if that's gone and you now can authenticate to some of your cloud services, for example, you've introduced an additional layer of complexity. Of impact your communications. And so starting to think through, well, how do we build some redundancy into our authentication scheme? So that even sands the internet, we can still authenticate on a personal device or a personal network outside of, of the walls of our hospital.

Just important things that you kind of take for granted until you need them. And then all of a sudden you realize you've got a serious problem on your.

Yeah. And those are the things that will save the minutes and the hours that you need to be able to reduce impact to patient care at the end of the day.

Right. Which is the metric that we all are using in. He.

Yeah. So let's talk about the labor component that you mentioned. So even before the great resignation and the labor challenges that have kind of swept the nation, cybersecurity was a, a discipline that had a massive shortage of, capable talent.

Maybe just share at PeaceHealth things that you're doing to. even pre-COVID to address that need and that constrained kind of supply of talent and then maybe things you're doing now as that challenge has gotten even more acute.

Yeah. I'll tell you, there is no magic wand. It is an ongoing game of chess.

It seems like we've done some of the more traditional things where we've changed the way we do. We advertise for jobs and changed our job descriptions. We've gone through some processes of making sure that our compensation bands are aligned To be market competitive. We've tried being creative about how we use different backgrounds.

Going back to our conversation about what degrees people, have what experience they have, could someone who's very good at it. Audit come in and run a SOC for example, because they understand the ins and outs of a process really well. So many different ways that you can be creative. At the end of the day, we also had to go and say, okay PeaceHealth primarily operates in three states in the Northwest mm-hmm are we open to, and can HR and finance support hiring outside of our three states?

Yeah, that brings with it a whole other set of costs and risks to the organization from a legal and HR standpoint. So we've balanced all of those. We have not as many healthcare organizations found the single thing that allows us to be competitive. In fact, here on the west coast, we compete against the likes of Amazon and all the other technology companies, Microsoft in our backyard.

And so we've had to look at that and say, are we really benchmarking our talent practices against not for profit healthcare? Or are we benchmarking against large technology companies? And that changes the game. Part of the challenge there as well is that it creates disparity amongst departments here within the organization where you start to look at it and say, okay, are we willing to designate certain hot jobs?

and go recruit for those differently. Then jobs that we think are, more common and easy to recruit for. These are the challenges we've talked through with HR. I think one of the keys for us has been to continue the ongoing dialogue and planning with HR leaders. Mm-hmm to make sure that we're doing all we can there's gonna be a give and a take and a balance.

There's no simple way to go out and just pay for the jobs you need. Retention is tough as well because once you hire someone. away Right then that person is always going to be recruited to the next thing. And there's always someone who's gonna be willing to pay more. Yeah. And so, in addition to the sort of HR side of things, we've put quite a bit of time and energy into building a team culture and a team.

Program around professional development. It has two components. One is just the social integrative aspect of how we work as a team, which has been hard during COVID. Yeah, but we've tried hard to implement things like virtual social hours. The ability to give and receive rewards has been a big part of what we tried to do.

And then also on the other side, we've put together a professional development program that allows people to go get the training they need. And that is a big draw in, in cybersecurity because we all know that our jobs change from day to day and the threats change from day to day. And so putting a commitment in front of people that they're going to have the ability to participate in career path training yeah.

Has been a big retention tool for us as well. Again, no magic wand, but I think putting together a collection of Incentives and benefits for people is really, how we can compete at least at some level. The other piece that I will mention is that we have invested a lot in building partner relationships with trusted vendors and it takes time.

But once you build those connections and those trusted vendor relationships, then you have the ability to pull in contractors on a short notice and trust that they will be, valuable members of the team. As we've done that we've actually tried to brand our contractors as PeaceHealth employees as much as possible by making sure they use a PieceHealth email address.

They use a PCE signature when they conduct business for PeaceHealth, they operate as a PeaceHealth info sec team member, and not as a vendor and that's helped as well. Just bring sort of a more, tight-knit community to our team, but also, better ability for that contractor to be effective within the partnerships that we have here at peace.

Yeah, so no silver bullet, but I think you did a great job of just kind of cataloging a variety of strategies and approaches that I think all of us are trying to do one flavor or fashion of, as you were talking about just the need to be flexible in the approach. The concept that equitable doesn't mean exactly equal.

And so there may be things that the cyber team has in their kind of compensation philosophy that isn't a, like for like, match with other areas, but you have to assess the risk, the reality of the really competitive talent landscape. It made me think like for us, we have this year of experience methodology.

Typically is guided our hiring kind of practices and where people fall in the pay band. And we're really pushing to be able to have flexibility in that space because someone may be really early on in their career, but have tremendous aptitude and demonstrated a capability. And so we need the flexibility to move them through that pay ban more quickly and not be constrained by the fact that they don't have five years.

Real world cyber experience. So it's just those kind of things that I think we're more open to than we have been in the past. And all of those different layers together, I think can help to not solve it. Totally, but certainly ease some of the challenges we're facing.

Yeah. And I think it's an acceptance as a leader, that it is an ongoing game of chess or musical maybe is a better way to say that.

You can't, you can't let your guard down. You have to continually be evaluating and understanding where you have apps or could have attrition or flight risk. Yeah. And pre-planning many of those moves ahead of time. In concert with HR.

Yeah, I think that's exactly right. And you can't get in this arms race, right.

That you're gonna lose, especially as a, not for profit system. And so you have to maybe be a little humble and recognize that, okay. Maybe we can't ever afford to recruit and retain a team around like red team, blue team pen testing. So maybe we outsource that because we can kind of predict the cost and make sure we have the capability we need.

So it's just a really fascinating time. And I. Good conversations that we can have to do the right thing for the media team, but also for the system that we serve. Yeah.

I think one other point that I would make in this area would be also, we've had really good luck hiring in at some of the junior levels specialists.

Junior analyst, people who have strong technology skills or other strong backgrounds using that as a platform to then grow into other roles within the team. It seems to me that we've been able to find people at those levels more readily, and they're more motivated than people at a senior analyst or even a manager level in some cases where the market is hyper competitive.

And to your point, the cost of some of those higher roles is just too much for someone like PeaceHealth, right? Yeah. Competitive in and so hiring at a junior level and then doing your best to retain as they grow has been helpful for us as well.

Yeah. Jeff insightful and instructive has always really appreciate the time that you spent with us today.

Thanks for all that you do. And thanks for sharing some of your background, your experience, and again, just some great guiding principles as a high performing CSO. Appreciate you.

Sure. Thanks. Appreciate your.

I love this show. I love hearing from people on the front lines. I love hearing from these leaders and we want to thank our hosts who continue to support the community by developing this great content. We also want to thank our show sponsors Olive, Rubrik, Trellix, Medigate and F5 in partnership with Sirius Healthcare for investing in our mission to develop the next generation of health leaders. If you want to support the show, let someone know about our shows. They all start with This Week Health and you can find them wherever you listen to podcasts. Keynote, TownHall, and Newsroom check them out today. And thanks for listening. That's all for now.

Links