Outcomes Rocket Podcast_Ed Gaudet_October Cyber Awareness Month Podcast Series: this wav audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Saul Marquez:
Hey everybody! Saul Marquez with the Outcomes Rocket. I want to welcome you back to today’s podcast. So privileged to be working on this amazing series on cybersecurity and healthcare for October. The guests we have had on have been insightful and I think have left us all with resources that we could use in our organizations and ideas that we could implement to make ourselves more cyber-safe, and today is going to be no exception to that. I’m joined by the outstanding Ed Gaudet. He is the CEO and founder of Censinet. With more than 30 years of software experience across various executive leadership, product marketing, and sales roles, Ed has spent more than a decade helping healthcare providers modernize and automate their cyber risk and security infrastructure. And Ed has held senior executive-level roles in various startups, as well as public software companies, including Imprivata, Liquid Machines, and other well-known entities out there, all focused on making our systems and organizations and care for patients cyber-safe. And it’s such a pleasure to have you with us today, thanks for joining.
Ed Gaudet:
Thanks, Saul. Yeah, I’m happy to be here, and happy Cybersecurity Awareness Month.
Saul Marquez:
Yeah, happy Cybersecurity Awareness Month. So, Ed, before we get into the potatoes about what we’re going to cover here, specific to supply chain, talk to us about you. What got you into the cybersecurity field?
Ed Gaudet:
Yeah, so, you know, I spent my career building products and helping organizations solve some pretty interesting problems. I’ve done everything from development environments. Back in the nineties, we created the automated testing and quality assurance set of products and technologies that obviously are in use today. So very proud of the work I’ve done and the teams I’ve worked with over the couple of decades in software, and specifically focused entirely in the software area. Again, working with organizations to really identify those problems that can be automated through software. And with healthcare, what’s interesting, I joined healthcare back in 2010 when I joined a company called Imprivata, and what I found was that there were so many problems that could be solved with technology in healthcare. We used to say that, as we looked at the different verticals that were out there, healthcare was always five years behind everybody in terms of their maturity and technology adoption, as well as the amount of investments they were making in digital transformation. And in 2010, something magical happened in healthcare. The HITECH Act came out as part of ARRA, as part of the Obama administration to modernize healthcare. And with that, that brought a lot of investment dollars to the healthcare systems to really move from paper to electronic health records, and that was obviously the right thing to do for patients, for patient outcomes. The nice thing about healthcare is that, unlike other industries, when you come in and work in healthcare, there really is this shared mission with not only your health system customer, but also the providers that you work with on a day-to-day basis. So everyone’s a customer at some point, everyone has family members that are patients, right? So it’s important that when you look at the wellness and the outcomes of those patients, you obviously want to make sure that everyone is, gets the best care and has a safe experience. And that all changed when the industry started to move to electronic systems because of the complexity and the opportunity for the bad guys to get in there and cause havoc. And back in 2010, you had to deal with data loss, right? So effectively, if you got hacked or breached, you lost data. And of course, that’s embarrassing and it’s costly, but no one dies when data gets lost, typically, right? You pay a fine, you might have to put a corrective action in place. Fast forward to 2016, 2017, we start to see this thing called ransomware. And ransomware, you know, we started to hear in 2018, 2019, it was affecting these organizations much differently than a pure data breach. And so we partnered up with Ponemon in 2021 to do a survey to really look at the impact of ransomware on patient care, and what we found was staggering. We asked basically whether or not there were increases in mortality rates, patient delays, procedure delays. And when we looked at the mortality question, I thought, okay, we’ll probably see some indication. Now, remember, this was a qualitative assessment, a qualitative survey. So it’s directionally correct, it’s not quantitative, though. So we’re sending this out to IT professionals that are observing these things within the context of technology and healthcare. And so what was interesting and scary was that 22% of those organizations had experienced increases in mortality rates based on ransomware attacks. So we think that’s a huge call to the industry to look at how we come together as an industry, how we come together as a community to take on these ransomware attacks and other cybersecurity incidents that can take down not only systems but actual operations. We’ve seen organizations close actually within the context of getting hit with ransomware. We’ve seen clinics actually close and that’s an awful thing. Imagine you go to your clinic and you can’t actually be seen because now they’re dealing with a ransomware attack, or your husband, wife, sister, brother, mother, father, cousin are in an ambulance dealing with a heart attack or some other illness, and they get diverted to another system that might be 40 minutes away. So we look at that and think that there’s got to be a better way. As an industry, this is a serious call to action. We have to come together and we have to fix these problems.
Saul Marquez:
Thank you, Ed. Yeah, for sure. And wow, staggering number, 22% have had deaths associated with ransomware, and these things don’t even make the headlines. Like you don’t even see it, right? This is kind of like, you don’t see it. You see things or, I don’t know, have I missed headlines, Ed? Maybe they are in the headlines.
Ed Gaudet:
You know, there are a couple of cases out there and we’ve seen over the last couple of months, actually, more and more vendors are working with organizations like the Ponemon Group to continue to look at this problem, and the numbers are still high. I mean, the numbers on mortality rates and delays in care. And, you know, you just look at the recent CommonSpirit incident, right? 142-hospital system, over 2000 care sites were impacted. Their EHR went down, they couldn’t deliver care to their patients, they delayed patient care, you know, and they’re still dealing with this. Scripps, University of Vermont, UHS, I mean, the list goes on and on, and these are significant incidents that cost in the millions for these organizations to not only deal with the incident, respond and recover, but also then build in those systems, build in those processes, build in those toolsets and resources to ensure that it never happens again, and it’s a huge wake-up call to the industry. I mean, over the last two years, I don’t think we’ve ever experienced this level of impact from cyber in healthcare.
Saul Marquez:
And thank you, and that’s what makes me so excited about what we’re doing, bringing awareness to the options. And so in thinking about operations with supply chain, what’s the issue with supply chain cybersecurity?
Ed Gaudet:
Yeah, sure, well, it’s simple. If one cyber event can have a ripple effect, a disastrous effect on an industry, and if you think about the supply chain, you can think about it in two contexts the macro and the micro. The macro is you look at someone like you look at the patient care continuum and the supply chain that supports patient care, everything from the doctors, the systems, the lifesaving, and life-sustaining systems, the drugs, the pharmaceutical organizations that do research all the way through manufacturing, right? So this is a significant level of components, vendors, suppliers, products, and services that go into delivering final products that can be applied to sustaining life. And at each point in the supply chain, there’s an opportunity for some type of impact from a cybersecurity event, as an example. And I think when most people think about cybersecurity, they think about the technology aspects of it. And that’s important, right? The systems that support the operations, making sure that those are running smoothly and making sure that those are available and continuous. But it’s gotten more complex over the last ten years because more and more of the technology that’s being deployed within healthcare is being provided by third parties, and typically those systems are hosted in the cloud. And so those cloud systems and those devices now that have access to the Internet, access to the cloud applications, create enormous amount of complexity and create an enormous vector of attack that didn’t exist a decade ago. And so when you think about the supply chain, you think about it from all of the, again, providers, whether they be technical or non-technical. For example, if you’re a healthcare system and your major laundry service supplier gets hacked, and let’s say you’re a large health system, and let’s say there’s only one laundry system that can support your needs, and that gets hacked and taken down, guess what? You can’t operate your hospitals because you don’t have a laundry service. So these are significant times for health systems as they think about protecting not only the data as it flows throughout their system into partners and third parties, but also those non-technical suppliers that have operational impact to the overall system. Everything’s got to be considered these days. So you’ve got that macro consideration from a supply chain perspective. Then you’ve got the micro consideration, I call it the micro consideration because it’s within the context of software and I think people often conflate the two. Software has its own supply chain. You’ve got the components that are being used to integrate it into your application or device that provide that level of service back to the end customer, and that in and of itself is a supply chain. And so when you think about software developers, and you think about medical device manufacturers, and you think about the bill of materials that goes into creating those applications and again, life-sustaining devices, it’s critical that we understand each one of those points in that supply chain so that if a library gets hacked or there’s a vulnerability in a library like Log4J a year ago. Log4J basically took down every single IT security organization from an operational perspective. They had to deal with that. They had to look at all of their applications and figure out which application has the version of Log4J that’s been impacted and how do we deal with it? And can you imagine? It’s all manual, they’re dealing with it in spreadsheets. It was during the holidays too, so a lot of people were just working 24 by 7 to figure out how vulnerable they were and whether or not they had an incident and how to remediate that as quickly as possible so they didn’t have an incident going into the new year.
Saul Marquez:
Yeah, it’s both the operations, but also that operations and system that keeps it all going. That also has its mini supply chain, like you said, and critical that we keep our eye on the ball on both of these. You know, a lot of people don’t know where to begin and that’s the truth. And so there’s an opportunity here, Ed, to talk about what the Health Sector Coordinating Council has published on supply chain. Can you help us understand what that is and how it could benefit them?
Ed Gaudet:
Yeah, absolutely, so the Health Sector Coordinating Council is a public-private partnership, so it combines government, personnel, agencies, resources, and the private sector. So folks like Censinet and folks like other organizations like J&J and Merck, which are the two co-leads on the health industry cybersecurity supply chain risk management guide, that we’ll talk about in a second. We call it the HIC-SCRiM, and these organizations work together to identify a problem and then develop guidance and practices, best practices to address the issue, to address the problem, and provide that back in the form of formal documentation and training and insight and awareness and webinars and all this, different level of support back to the industry through this public-private partnership. So it’s really a, I’ve never seen it in any other industry, and obviously, it stems from the critical infrastructure that healthcare is. And so you have the critical infrastructure agencies as well helping out and providing guidance and providing insight and resources into these other organizations. And so the task group was formed basically because we identified an area of a problem. We identified that there was a lot of focus going into cybersecurity as an IT issue, but nobody was really looking at it from a supply chain perspective and NIST, which is National Institute of Standards and Technologies, NIST created the standard for cybersecurity called the Cybersecurity Framework. And the Cybersecurity Framework, the latest version, 1.1, included information on identification and management of the supply chain in the context of cybersecurity. And so we took that guidance out of NIST basically, and expanded it for healthcare. And so if you look at those basically five sections, the first section is really about establishing processes, roles, responsibilities, policies, procedures, etc. and there’s tools and templates within the HIC-SCRiM itself that enable organizations to build out these supply chain risk management programs fairly quickly and fairly robustly. We also look at identifying and assessing suppliers, so really looking at that inventory of products and services and vendors, technical or non-technical, and formalizing it, document it, documenting it, and building out a digital inventory of those vendors and suppliers. And then third, we look at the contracts that can support obviously those obligations that each one of those suppliers must meet in order to work with the particular healthcare organization. We look at the process for assessing each supplier. We look at basically, questioning, we have templates for risk assessment questionnaires provided in the HIC-SCRiM. We have sample contract language. We also reference other task group documents and practices that can be used in conjunction with the HIC-SCRiM too. And so if you look at the 405D and the health industry cybersecurity practices, the HICP which is, which is how we got HIC-SCRiM, right? The HICP is sort of the foundational document and.
Saul Marquez:
And you know what, it’s actually worth noting. So folks, if you haven’t listened to the episode on HICP with Eric Decker and Julie Chua, you’ve got to check that out. I’ll link it here in the show notes because it’s foundational. And I didn’t mean to interrupt, but if you haven’t listened to that, definitely take a listen to it, foundation stuff. Ed, please go ahead. I wanted to plug that.
Ed Gaudet:
No, it’s a great point, no.
Saul Marquez:
Since you brought it up.
Ed Gaudet:
Yeah, it’s a seminal piece of work, and every healthcare organization should be using the HICP in conjunction with their cybersecurity practices. And so we obviously referenced that, we leverage that as well in the set of practices and guidance that we provide for supply chain risk management. We look at audits, meeting the contractual obligations, how do you verify that the supplier is actually implementing the controls that are needed to protect data, as an example. We also look at what happens if you get attacked, what happens if there’s an incident, what’s your recovery procedures, how do you respond, and how do you plan for that in advance, right? It’s one thing to get hit with an incident, it’s another thing to get hit with an incident and actually have a plan, and you’ve actually done tabletop exercises to test out the plan and to test out the assumptions. And so we talk a lot about that in the document as well and provide guidance. But it’s really important that for those critical systems, you understand how quickly it takes to recover. And because that’s so core to managing that incident, and we always say it’s not a matter of if, it’s a matter of when, you most likely will have an incident. The systems are too complex, the systems are too porous, and quite frankly, the vector is bigger than ever from an attack perspective. And so all you can do as an organization is ensure that you’re, you know, the level of care, the duty of care that you’re providing is meeting the standard. You’re doing all the right things from a process and a procedure to training your people. You’re implementing the right tooling, you’re putting in the right controls and you’re validating those controls as well. So in the event of an incident, you can actually point to a practice that the government actually looks towards as well as a recognizable best practice. And so there’s recent regulations that came out the public law 116-321, which is part of the HITECH Act now, states that if you’re using a recognizable security practice such as HICP, such as NCSF, then you’ll be covered when there is an incident from a consideration perspective. If OCR comes in and audits you post-incident, they have to consider the fact that you are using one of those recognized security practices when they look at fines and corrective actions and continuation of audit, etc. So it’s a no-brainer, I mean, I like to call it the get-out-of-jail-free card. Some people resist that, but I just think it’s such a simple metaphor. And again, you’re doing the right thing, you’re following those practices that are out there. There’s no such thing as 100% security, otherwise, you can’t, you wouldn’t be able to operate your business, right? You’d have everything in a safe and no one would be able to use the, exactly. So you have to have that layered approach. You have to put in those policies and procedures, and you have to be vigilant about ensuring that you have the latest and greatest, and you’re leveraging automation as much as possible because we just did a, you know, if you look at the organizations and how people are doing, we just did a study with Ponemon, the task group. We worked with Ponemon on a pro bono survey. Ponemon was gracious enough to give us their time to survey about 400 health systems to look at the maturity of their supply chain risk programs, and what we found was that we had a lot of work to do. I mean, people aren’t even doing the basics. 20% of the folks didn’t have full, less than 20% of the folks that were surveyed didn’t have full inventories under management. And for smaller healthcare organizations, it’s three times as bad than the larger organizations, they have no inventory at all, so they’re flying blind. 46% of the folks that we surveyed, they’re only looking at new suppliers and products and services at the start of their program. They’re not going back and looking at those suppliers and vendors and products that are currently under contract and putting them into the reassessment process. And because, again, they can barely keep their head above water with the volume they have to deal with from the net new providers and partners that come on board. So we think there’s a lot of opportunity to leverage these best practices, such as the HIC-SCRiM, such as HICP, such as the other types of documentation that are provided to these task groups in public partnership and private partnership with the HSCC. So there’s a lot out there, and I know you’ve talked to a few of my colleagues on these different task groups as well. So again, exciting times and a lot to do to bring the maturity level of healthcare up, at the level at some of the other industries are at. So if we look at finance as an industry and as a maturity from a cybersecurity perspective, the businesses are very different, but the level of maturity of a financial organization is in some respects much higher than that of a typical healthcare organization. So we can learn a lot from other industries as well.
Saul Marquez:
Thank you, Ed, where do you see this going? I mean, how long is it going to take us to get to our finances?
Ed Gaudet:
Yeah, you know, I think a lot of it has to do with prioritization investments and also an awareness that there’s the technologies that are out there that can help you, have significantly improved over the last five years as well. So for example, if you’re using spreadsheets to assess vendors and products, why are you doing that, like spreadsheets? I mean, the seventies called, they want their spreadsheets back, right? And the reason I started Censinet is because I experienced the pain being a vendor and having to deal with all of these different spreadsheet requests coming in from healthcare providers. You know, I’ve got to assess my product, and this spreadsheet, with these sets of questions, was so very different than this spreadsheet, with these sets of questions. And the semantics are different, you can never get leveraged. And so, yeah, and so it’s like, why are folks doing that when there are platforms out there that can automate this. And also enable you to not only like the data showing out, you can get ahead of the problem, you can actually not only look at those net new providers, solution providers, technologies, vendors, etc., but you can actually go back and add the ones that are currently under contract to those platforms and automate the scheduling of reassessments. So now you’ve got that complete digital inventory of all of your vendors, third parties, suppliers, all of the different tools and technologies that are being deployed within your healthcare system. All the different systems that have data, the systems that have a BAA or don’t have a BAA, business associate agreement which is contractually required, again, if you’re a covered entity under HIPAA and you have someone that’s actually leveraging protected health information or processing it in some way, you have to have a BAA agreement with those third parties. And it’s just interesting how people manage that today, a lot of it is spreadsheets or emails or phone calls or, so we think there’s a lot of catching up that the industry has to do and there’s a lot of available technology and solutions to help them do that.
Saul Marquez:
And so, I guess it’s talking about it. It’s making sure, folks, you’re listening to this podcast, that you don’t just stop at listening, you actually check out some of the things that we’ve talked about, the HIC-SCRiM document that will link up here at the bottom of the show notes. We’ll also provide a link to Censinet and the work that they do that you could benefit from. The call to action here, folks, is to do something about it, and that’s how we accelerate. And what call to action would you leave the listeners with here as we wind this thing down?
Ed Gaudet:
There’s a lot of support out there. There’s obviously the Healthcare Sector Coordinating Council, the 405D, they provide a lot of support from an awareness and training and educational and knowledge perspective. There are providers of free tools that you can leverage as well. The HHS and the ONC provide free HIPAA tools. Censinet actually provides a free tool for HICP assessments and benchmarking which is available to all hospitals. And so we think there’s an opportunity for everyone to get on and start using HICP and start building out their processes with the HIC-SCRiM guide and again, leverage your community, leverage your peers, lean on the organizations that are available to support you. Participate, we’re always looking for volunteers, so join us in the fight to end cybersecurity attacks and incidents and obviously the impact that it has on patient care and operations.
Saul Marquez:
Thank you, Ed. Great calls to action for everybody listening. And folks, as I’ve mentioned in the series, we’re going to post these in the channels that you usually listen to like you’re listening to now, and we’re also posting them on LinkedIn. So what I invite you to do is to comment below the little snippets that we put up there. Tell us if you use some of the work that we shared with you on this series. Give us your thoughts. Did something resonate? Did you disagree with something? What we want to do is encourage a discussion here around this because Ed has offered us a lot of value on today’s podcast. So, Ed, I want to thank you personally, on behalf of all of our listeners for spending time with us and for sharing what you’ve done so well.
Ed Gaudet:
Thank you, Saul, appreciate it.
Saul Marquez:
All right, well, folks, there we have it, Ed Gaudet. Check out all the resources, and thank you again for tuning in to our series.
Sonix has many features that you’d love including secure transcription and file storage, upload many different filetypes, enterprise-grade admin tools, transcribe multiple languages, and easily transcribe your Zoom meetings. Try Sonix for free today.
