The intersection between cybersecurity and healthcare can sometimes be a complicated gray area for people that don’t know much about this topic. In this episode, we talk with Erik Decker, the Chief Information Security Officer at Intermountain Healthcare, a mastermind leader in cybersecurity in the healthcare field. When it comes to the healthcare sector, Erik reflects on how technology has to keep up with the pace we are now running in, addressing threats around cybersecurity and the relationship between AI and machine learning in this topic.
The future of cybersecurity lies in how fast technology can change, the developer’s skill set, and the analytics-driven skills they need. Erik also shares his thoughts on cyber-security and its importance for systems to be resilient to attacks. If they get shut down, the consequences directly impact patients.
We met Erik during ViVE, and we had to interview him about this topic that concerns us all; tune in and enjoy!
About Erik Decker
Erik Decker is the Assistant Vice President – Chief Information Security Officer at Intermountain Healthcare. Previously Erik was the Chief Security and Privacy Officer for the University of Chicago Medicine, where he was responsible for its Cybersecurity, Identity and Access Management and Privacy Program. Erik has over 25 years of experience in Information Technology, primarily focused on Information Security. Most of his career has been focused on Academic Medical Centers, where he established two information security programs and an identity and access management program.
He is currently Co-Leading a Department of Health and Human Services (HHS) task group of more than 250 industry and government experts across the country for implementing the Cybersecurity Act of 2015, 405D legislation within the Healthcare sector. The publication was released in December 2018, titled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” aka HICP, which establishes a national healthcare cybersecurity standard for small, medium, and large-sized healthcare organizations. Additionally, he led the development of the Health Industry Cybersecurity Tactical Crisis Response guide (HIC-TCR) under the same working group. He is also a member of the Executive Council of the Healthcare Sector Coordinating Council’s Joint Cybersecurity Work, a public-private workgroup formed under the National Infrastructure Protection Plan.
Outcomes Rocket Podcast_Erik Decker: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Saul Marquez:
Hey everybody, Saul Marquez with the ViVE podcast series, and I’m so excited to introduce an amazing guest today, his name is Erik Decker. He’s the chief information security officer for the Intermountain Healthcare, with 22 years of experience in information technology. He’s the chairman for the Health Sector Coordinating Council Joint Cybersecurity Working Group, a joint public-private partnership group tasked with protecting critical infrastructure as defined under the National Infrastructure Protection Plan. He is also the industry lead for the development of the health industry cybersecurity practices, also known as HICP publication under the HHS 405D program, a thought leader in cybersecurity and healthcare, I’m privileged to have Erik here on the podcast. Welcome!
Erik Decker:
Thanks, Saul! And it’s not Erik Decker, the football player, it’s the original Erik Decker, who’s older than the football player. So there you go.
Saul Marquez:
Hey, I appreciate the clarity, folks better know that. So we’ve got a lot of interesting things happening here at the conference, and one of the main things, you just stepped off the stage, incredible talk on cybersecurity, let’s focus on that, shall we?
Erik Decker:
Sure!
Saul Marquez:
Awesome.
Erik Decker:
Sure!
Saul Marquez:
So, so maybe to kick things off, let’s, let’s kick it off with sort of a summary of what you talked about on stage.
Erik Decker:
All right. Yeah. So it was a 50 Shades of Grey of cybersecurity in a digital health world, I think is the title of it. You know, mostly what I focused on was the the components of critical infrastructure and what that looks like at a national level for, for healthcare. So listeners may or may not know that there are 16 critical infrastructures outlined as part of our whole national infrastructure protection plan. I’m going to start throwing some acronyms out there, so I apologize for the for all of this.
Saul Marquez:
It’s good. It’s good.
Erik Decker:
So the NIPP is the, is the national infrastructure protection plan, came about in about 2007 under a presidential directive originally. And the reason for this was these 16 critical infrastructure essentially make up some of the national interests that we have. So it could be economic interests, safety interests, wellness, national security interests, and so forth. Healthcare is one of them, finance, oil and gas, transportation, energy, water, all these things that we absolutely rely on on a day-to-day basis. The interesting issue is most of those infrastructures, I think all of them, are actually run by private industry, so these are not national government-run industries. And so in order to assure that the, we have partnership and we have the interests of the nation at the forefront of this, that’s where this whole critical infrastructure construct came from. It is essentially, recently added into law, there’s a National Defense Authorization Act. Actually, most people actually know that one from COVID because it was other things got enacted through through the NDAA. But that was that was codified into law here recently in the last couple of years. Within that structure, there are working groups. So all, all the various 16 infrastructures will, will do this a little differently. But within healthcare, we have a working group, a cyber working group, and that is the the group that I’m the chairman of. So it’s an elected position, just got done rolled off of the board on that for the last three years. And then I have a two year stint ahead of me with a one year extension, if I do a good job, we’ll see.
Saul Marquez:
Hey, you got elected.
Erik Decker:
Yeah. Hey, working on it.
Saul Marquez:
They have confidence in you somehow.
Erik Decker:
So somewhere in there, and the group is, is really it’s 300 organizations and 700 plus members. So it’s, it’s really a representation of the seven subsectors that make up healthcare and sort of like what we do about that. So the talk was really focused on how do we bring all this cyber scary stuff, you know, and think about this from a resiliency angle. We’ve always thought about it from a data angle, confidentiality angle. But, you know, really, healthcare is we’ve crossed the threshold. We are, we are now into a digital world. And that means all of this runs on top of technology. And that technology has got to be up in order for us to do it.
Saul Marquez:
So, yeah, now fascinating. And, and so today we have so many issues that the health systems are faced with. What would you say is the number one trend or, or thing that, that leaders need to keep in mind as they, as they consider cybersecurity?
Erik Decker:
Sure, there’s so many things to think about. But, you know, ultimately, at the end of the day, it’s about risk. You know, so we, there is a million ways that things can go wrong. You know, you can’t chase every single one of those million things because you never have enough resources. Even if you had a blank check, you never have enough resources to do it. We would actually bring the organizations to a screaming halt if we tried, because it’s just there’s too many places, you know, for things to change. So it’s, it’s about understanding, you know, where, what is the most prominent vector in and how does that happen? And so we, you know, thinking about it from an adversarial perspective, you know, and that’s kind of the climate we live in right now, especially with the geopolitical issues going on and some of the concerns of collateral damage of the conflict over in Russia and Ukraine. You know, so it’s, it’s about how do these adversaries actually get into your environments? What are the vectors in, you know, so I, I like to tell people, you know, focus on the threat and focus on the threat vector, how they, how they access. And then, you know, use that to understand your impacts, understand your, your controls, and sort of build your defenses around it. There’s prevention in here, of course. Like that’s the first thing everybody tries to think about is prevent, prevent, prevent, and it’s great if you can do it. But I think, you know, at the end of the day, our, you know, detection and response is equally, if not more important, especially in healthcare, where, you know, we’ve got, the data is everywhere, it has to be because that’s how we work. You know, you need the information in order to care for people. And it’s not the Coke secret formula that’s locked behind a special thing that only two people know how to get into, it’s hundreds of people are actually behind every encounter, you know, that’s involved that, that you have with your, with your physician. So yeah, so it’s about, you know, we have a challenging dynamic, you know, to sort of deal with that. And the, the answer can’t be like lock, lock it down, lock it down, lock it down, lock it down. You know, that’s not the bottom world. We, detection, knowing where things go bump, things, things are anomalous, you know, investigations, all of that and then responding quickly and evicting bad actors from your environment. Like that’s the name of the game. And that’s, that’s where the extra investment and focus should be.
Saul Marquez:
I love it. Now, well said, well said, Erik. And you know, we’ve been talking a lot at the conference about AI, machine learning. What role do these technologies play in, in the strategies that you just talked about?
Erik Decker:
Yeah, I mean, they, so there’s a lot of this that’s still fresh and new in the AI-ML world. But, you know, there’s, there’s good platforms that are out there that take this in. I mean, so it’s a big data problem at the end of the day, that’s, that’s what we’re faced with. There is tons of information, tons of noise in the system, and we’re trying to find signals in that noise. And that, and it’s not just simple little algorithmic, yes/no, kind of things that happen. If you see this type of event and that particular thing happens, then that equals bad. Like, that’s not how it works.
Saul Marquez:
It’s not that easy.
Erik Decker:
So, you know, AI-ML helps you distinguish patterns and distinguish, you can do things like normalize behaviors of individuals and understand how they normally access your environments, and if things change, that should be anomalous. But every person, you and I, are going to access the environment in a different way. So how do you actually profile that? I mean, that is, that’s an AI problem. You know, that can be solved for, you know, malware and how that’s used. I mean, it’s all based on, you know, behaviors, the outcomes that, that programs run. And when they, you know, rather than trying to get to the source of if it uses this particular file or that particular thing, it’s more about like, why is it, is it opening up a whole bunch of files on a network server in a very short period of time? Is it kind of more heuristic-based? It’s more focused on the, the outcomes of how the programs are working. And if it seems anomalous, then that could be something that is of interest. And so again, that’s another place where AI and ML help because it’s kind of self-tuning and learning and so forth. But I still think we’re in the early phases of, of AI and ML, like solving all of these problems. I mean there’s, there’s a lot that still has to be done. I think our profession is also changing. You know, we grew up as infrastructure folks at the, you know, I mean, it’s really not even an old discipline, and it feels like we’re talking like 15 years ago, and.
Saul Marquez:
It’s moving fast.
Erik Decker:
Yeah, like 15 years is a, is a lifetime in digital world, although it’s not that long.
Saul Marquez:
I know. But it feels that way, though.
Erik Decker:
Yeah. And so, you know, our skillset is different now, you know, I mean, the cloud has, has totally changed all of that, you know, the, the developer skillset, the analytics-driven skillset that is the future of cyber and how it all connects. And so, you know, us old like infrastructure geeks that like our hardware, you know, that’s kind of becoming a thing of the past, it’s very true.
Saul Marquez:
Erik, one of the things you mentioned is, is this idea of cyber-safety, right? So, so this is, this is sort of part of the evolution, right? And so can you, can you speak to it? What exactly does it mean?
Erik Decker:
Yeah. So this is something that’s been coined out of the 405D program, which is a part of that critical infrastructure group that I mentioned. You know, we’re really focusing in on cyber-safety is patient safety. Think of it as like cyber-hygiene or hygiene in general, doing the basics, the blocking and tackling the, the components of what make up the bare minimum of what you should be doing in in this space directly impacts patient safety because like I was going with before, you know, we’ve, we’ve seen, we’ve all heard about the ransomware attacks, we’ve all seen the outcomes of those, you know, the ransomware attacks that bring down a system for 4 to 6 weeks or two months or longer. Those patients, I mean, there’s, there’s an emergency care issues that get, that you have to deal with right out of the gate, there’s acute care issues that you have to deal with and then there’s even long-term impacts associated that. So this whole thing turns into delay of care. And if some of these patients, you know, they may or may not be able to get that care from another place, depending on what’s going on. So, I mean, you can talk about like trauma centers. If that gets shut down, you know, and you have a trauma case that comes in that can have consequences.
Saul Marquez:
Yeah, catastrophic.
Erik Decker:
You have aggressive cancer and you’re supposed to get chemotherapy treatments and you can’t, you know, and that gets delayed because the systems are offline, and those, that’s patient safety. And when we say cyber-safety, we’re talking about the resiliency of those systems and making sure that they’re up. And and if they’re not up, that we have contingency plans in place so that we know what to do with, do about it to care for them.
Saul Marquez:
And that’s really great. And it’s great to know that that this type of work is being done, that it’s no longer an assumption like, okay, we have to have operating mechanisms, a hygiene, so to speak.
Erik Decker:
Yeah.
Saul Marquez:
That we’re doing things consistently to take care of these things. Now, that’s really great, Erik, and so as you reflect on sort of where, where things are going, what would you say is the one area where where folks need to spend time to get the best outcomes and best ROI?
Erik Decker:
Sure. So I’m actually going to give you two, if you don’t mind.
Saul Marquez:
Okay, yeah! Let’s hear two.
Erik Decker:
So the first thing is think about the adversaries and how they do what they do. You know, it’s well known the CISA, the Cybersecurity and Infrastructure Security Agency, it’s within the Department of Homeland Security, they produce lots of really good advisories on how threat actors are actually breaking into environments. And I think people should pay a lot of attention to that.
Saul Marquez:
Do you think folks know about the outputs?
Erik Decker:
No, I think that it’s still being, it’s still, it’s still a fairly new agency. I want to say it’s, if I get this wrong, I’ll be wrong, someone’s going to flog me. It’s like 3 to 4 years old, maybe five. So folks are still learning what they do in they’re, in their role in this and the whole critical infrastructure pool. But, you know, they have, they’ve got a lot of services that, that you can produce or that you can consume, I’m sorry.
Saul Marquez:
Yeah.
Erik Decker:
But anyway, so some of their advisories, like they talk about the ways that the attacks get in, you know, from phishing, of course, that we’ve all known about for a million years to very specific vulnerabilities that known bad actors are exploiting. You know, there’s vulnerabilities out the wazoo. But that kind of intel is incredibly important to know if like, those are the ones that are being exploited and those are the ones you should start with.
Saul Marquez:
Totally.
Erik Decker:
Start fixing to like, I’m going to get a little technical here, like using RDP. You know, there’s all this, there’s still a lot of direct RDP access and that is a very happy way that adversaries are breaking in and using those, those those avenues. So, you know, protect yourself against that, against the known threat actions and the tactics and the techniques that they use.
Saul Marquez:
And by the way, Erik, and folks, you’re listening to this, I want to make sure that we take this opportunity to plug this resource. If you look in the show notes of today’s podcast, you’ll see a link to CISA. There’s a site they could go to.
Erik Decker:
That’s right.
Saul Marquez:
And so, Erik, you’ll get that to us.
Erik Decker:
Absolutely.
Saul Marquez:
And share it with everyone, okay.
Erik Decker:
In fact, they even have free resources for healthcare so that … Taxpayer dollars pay for. You can do pen tests, you can do risk assessments, vulnerability scans, they’ll phish you, they’ll run tabletop exercises, all of this is free.
Saul Marquez:
Awesome.
Erik Decker:
And things that people should absolutely use in this cash-strapped world that we live in so.
Saul Marquez:
Totally. Well, thank you for that. And folks, make sure you take advantage of that. Don’t just listen, learn something and act on it.
Erik Decker:
Absolutely.
Saul Marquez:
… Be the best. All right. Go ahead, Erik, part two.
Erik Decker:
Yeah. So the second thing, part two, is we are highly connected in a, connected with our supply chain and especially as we were at a digital health conference. And we, we think about like, well, what is digital and sort of how does this sort of make itself up? And there’s a heavy cloud component to digital. My, my point about resiliency is we have to be doubling down on our business continuity and … recovery programs. We have to understand to a level of detail on the workflows that flow over top of our digital environments, those absolute most mission-critical things. So when you think about a health system and what do we do, you know, so you come in, you get seen by a doctor, you get a bunch of tests run, they diagnose you, there’s a treatment plan that gets put into place and then you get put into your treatment plan and you go forward, right?
Saul Marquez:
Yep.
Erik Decker:
So that, part of that care, the diagnostics, pieces of that, what’s involved? Imaging is involved, blood work is involved, labs are involved. Part of the treatment plan, what’s involved? Drug medication, dispention is involved. All of this is the the chain, you know, the life cycle of healthcare. If your labs are not working, your imaging is not working, or your drug suspension isn’t there, suddenly, well, either you can’t be diagnosed or you can’t be treated.
Saul Marquez:
Right.
Erik Decker:
The expertise is great. You’ll always have the doctor, you know, and he or she will be able to help you sort of understand the situation. But maybe they will, won’t be able to diagnose what the actual issue is because we need all of this ancillary support and help. So what you need to understand inside your organizations, what are those absolute most mission-critical workflows and what’s the high volume of that, where the volume is so great that you can’t do it in a paper form, you can’t do it in a non-digital form and those that we’ve identified, then it’s about understanding the intersection between that workflow and the technology that’s residing underneath it. And now let’s stop assuming that there’s likelihood scenarios where these things won’t go bump in the night. Let’s just assume it’s going to go bump in the night. Let’s, let’s take the likelihood off the table and assume worst case scenario. Now, what do you do? You know, and so that, that kind of resiliency, that kind of business continuity planning and this, you can tackle this in a lot of different ways, right? So there’s third parties that, you know, that we work with and we might be completely reliant on that third party for running that mission-critical function. So again, assume that they’ve gone bump in the night, assume that it’s not available. How are we going to recover that? Is it, is it a non-prem hybrid kind of thing? Is it a, are they going to have another relationship with another third party that can pick it up? You know, we’ve got for those mission critical pieces, we have to be able to build those plans in place. Can’t do it for everything because that is way too big. It’s, there’s so much technology that makes up healthcare, but it’s a different mindset, you know, a different way of sort of thinking about the risk and the impacts of that. You just assume worst case and then you peel it back from there and then you can build in your, your resiliency into the mix.
Saul Marquez:
You know, I love this, Erik, and it’s this, this idea, frankly, I’ve never even run the parallel. It’s just like a supply chain organization that needs parts and pieces.
Erik Decker:
Yup!
Saul Marquez:
You need to have a backup supplier for this and that. It’s the same thing for, for healthcare.
Erik Decker:
I mean, we’re seeing it right now with COVID and all the supply chain issues. You know, chip, chips.
Saul Marquez:
Are affecting everyone.
Erik Decker:
The chip manufacturing processes are terrible. And so or they’re bad right now, right? The volume, I shouldn’t say terrible. The volumes are bad, the shipping of those chips is bad. You know that, and it’s impacting everything from componentry of household appliances and all these kinds of things, you know, to the, the very chips that we use in our, in our healthcare systems. So it is, when we say we’re super, we’re, we’re super connected into an ecosystem and that’s what we mean.
Saul Marquez:
Yeah.
Erik Decker:
I mean, you can even take this to the, we’re talking about that’s like digital health, digital technology, sort of using that as part of the supporting the workflow. But this also goes back to the the physical side of the house too. So your syringes, your, your masks, your gloves, your, your laundry, you know, I mean, you’ve got to, you’ve got to change the sheets. You’ve got to, you know, you’ve got to wash the sheets before you put another patient in that bed after you turn it over. And if the ordering systems for all that stuff is unavailable because it’s all run digitally, then what’s your inventory? What’s your supply? How long can you last? Can you last 4 to 6-8 weeks? You know, without that, probably not. So what’s your fallback plan if that stuff happens? I mean, that’s kind of the thinking that we now have to start embarking on in this world.
Saul Marquez:
I love it. Erik, you’ve left us with a lot of really great things to consider. And so I did want to ask you, you know, with COVID, obviously, the entry point to healthcare has evolved. So care in the home is more real than ever, with that come wearables, devices, remote patient monitoring. What are some considerations that, that folks need to be thinking about as they implement and scale these efforts?
Erik Decker:
Yeah, and that’s also a complicated relationship between the healthcare delivery organizations, the medical device manufacturers and the patient, because there’s it’s a three legged stool. So you get an implantable, the HDO might implant it, but the maintenance of that might not be done by the HDO, it might be done by the manufacturer. I think there’s an awareness piece to this, which is especially as we talk about wearables that are using connectivity, sort of the traditional networking and connectivity kind of things, the patient needs to be a good advocate for themselves on sort of what’s happening. You know, if you get one of these, then I would just be asking, I mean, if I got, ever got one of these, I would be asking these questions like, okay, when issues happen, what am I supposed to be doing? If there’s a recall, what do I do? If there’s, you know, I read about a scary story, you know, who am I contacting, you know, to figure out, like, do I have to do something for my own well-being? And so I think that piece is important and critical. I think that, again, the MBMs and the, and the hospital organizations, I mean, we have our own obligations of notifying and putting surveillance, and what I mean by surveillance is like just monitoring the state of the situation or the state of the situation of cyber around these devices. And if there’s, if there is a recall that needs to happen, then we need to take care of that and do the outreach and, and work with the patients as well. But, you know, I mean, it’s really, it’s a, that’s part of the hyper connectivity of our world, you know, and, and so it’s going to be there. We, you need to know what the potential implications are of connectivity as a non-functional or if the device is being, you know, is it possible for a device to be acting in a, in a non-conforming way, you know, understanding all of that sort of upfront would be good for making your decisions.
Saul Marquez:
Yeah. No, that’s fair. Great, great callouts. So I had to ask, it’s just kind of where things are going. So.
Erik Decker:
Yeah. And.
Saul Marquez:
It’s on all of people’s minds.
Erik Decker:
I’ll say, I mean there was, you know, what was at the homeland, have you ever watched the show, the TV show Homeland?
Saul Marquez:
Yeah, I have.
Erik Decker:
Okay. So the second, sorry if anybody, spoiler alert, the second season I think is when they had the, they, they tried to make an assassination plot on the vice president.
Saul Marquez:
Yes, yes!
Erik Decker:
Yeah. Because because of a pacemaker that they had. So you hear these like horror stories of that kind of stuff happening. I’ve never heard of it actually taking place. I’ve seen proof of concepts where you can take an insulin pump and force it to pump out at a far greater rate than it’s supposed to be able to do. But again, nothing, nothing actually occurring. So it’s, it’s scary and it’s something that we need to be aware of. I think the more likely scenario where patient safety comes into play is the unavailability of the systems and devices, that we are seeing over and over and over again. So it’s, yeah, I mean, it’s never take your eye off the ball because this stuff changes all the time.
Saul Marquez:
Yeah.
Erik Decker:
But you know, that’s the immediate, that sort of the unavailability of the systems and digital systems is, is really truly the immediate piece.
Saul Marquez:
That’s the biggest threat. Yeah. Wow, Erik, thank you. We could we could talk about this for hours. And I’m sure, folks, you’re enjoying this just as much as I am, but we’re here to the end. So what, what would you leave us with, Erik? You know what? What’s the call to action we need to be thinking about? And for anybody that wants to follow you and your work, what’s the best way for them to do that?
Erik Decker:
Yeah, so there’s a couple of things. One, the 405D program is a Health and Human Services co-led program. So I’m the industry lead for it, I’ve got a counterpart at HHS, we built the HICUP document, we call it Hiccup. So it’s good medical term.
Saul Marquez:
Nice.
Erik Decker:
Sticky, HICUP.
Saul Marquez:
Yeah! For sure.
Erik Decker:
So if you go to 405.HHS.gov, you’ll find all of that. You’ll find the resources, that resource, that publication, HICUP, is now modified, HIPAA and hi-tech. And so if you’ve implemented that.
Saul Marquez:
Cool.
Erik Decker:
OCR is part of enforcement actions, if you do get compromised, they have to consider the use of your adoption of HICUP in their enforcement action. So that’s an honestly, it’s a great incentive to just go there and do it.
Saul Marquez:
Just do it.
Erik Decker:
You know, and then demonstrate that you can do it because it’s, it’s kind of a little like relief. I’m using the word relief, our federal government doesn’t use that yet, but.
Saul Marquez:
That’s fair.
Erik Decker:
So, so that’s one thing. The second thing is if you go to and I’m sure we can put all this in the show notes.
Saul Marquez:
Oh, yeah, everything will be there, folks, don’t worry.
Erik Decker:
HealthSectorCouncil.Org is the Joint Cyber Working Group. So 405D is one of 15, there’s a whole bunch of other working groups that we’re doing. If you are a practitioner in healthcare, you’re in the delivery side or, or plan or pharma, you have an open invitation to join us and start, you know, roll up your sleeves and try to work through some of the challenges. If you’ve got a particular cyber thing that you’re, you really are passionate about and you want to see movement on, there’s probably activity occurring. And you can join us and you can get, you know, do some good for the world.
Saul Marquez:
That’s outstanding.
Erik Decker:
And give back. So I would definitely suggest people get involved in both of those.
Saul Marquez:
Well, Erik, thank you. And folks, again, as a reminder, you will see all of the links that Erik shared with us in the show notes. So make sure you click on them, figure out ways that you could contribute and ways that you could add value to your organization. Erik, this has been amazing, I want to thank you again for for spending time with us.
Erik Decker:
You bet. Thanks, Saul!
Sonix has many features that you’d love including secure transcription and file storage, upload many different filetypes, automated subtitles, share transcripts, and easily transcribe your Zoom meetings. Try Sonix for free today.
Things You’ll Learn
Resources