Why Compliance is not the Safest Cyber-Security Strategy with Grant Elliott, Founder & CEO at Ostendio, Inc.

Why compliance is not the safest cyber-security strategy with Grant Elliot, Founder & CEO at Ostendio, Inc.

Hey Outcomes Rocket friends, thanks for tuning in to the podcast once again. As a leader in health care, you have big ideas great products, a story to tell, and are looking for ways to improve your reach and scale your business. However there's one tiny problem. Health care is tough to navigate and the typical sales cycle is low. That's why you should consider starting your own podcast as part of your sales and marketing strategy. At the Outcomes Rocket, I've been able to reach thousands of people every single month that I wouldn't have otherwise been able to reach if I had not started my podcast. Having this organic reach enables me to get the feedback necessary to create a podcast that delivers value that you are looking for. And the same thing goes if you start a podcast for what you could learn from your customers. The best thing about podcasting in healthcare is that we are currently at the ground level, meaning that the number of people in healthcare listening to podcasts is small but growing rapidly. I put together a free checklist for you to check out the steps on what it takes to create your own podcast. You could find that at outcomesrocket.health/podcast. Check it out today and find a new way to leverage the sales, marketing and outcomes of your business. That's outcomesrocket.health/podcast.

Welcome back once again to the outcomes rocket podcast for we chat with today's most successful and inspiring health leaders. Today I have an outstanding guest for you today. His name is Grant Elliott. He's the founder and CEO at Ostendio, Inc. He's an entrepreneurial leader with over 20 years experience in a variety of operations, customer service, product dev and most importantly in the executive capacity. His track record in this space is really attributed to what he's been able to do. He's been able to create significant growth, development and change for those seeking to make positive change in cyber security and at his work right now at Ostendio, they're actually working to change the way companies look at and manage their cyber security risk management and compliance programs. Today in healthcare, it's such a big focus for everybody to make sure that cyber security is in a positive state and that it's not interrupting our healthcare operations. So I think the topic we're going to dive into today with him is going to be very pivotal to anyone running a health care organization. So it's with a big privilege that I open up the microphone to Grant. Welcome to the podcast Grant.

Thank you Saul. So it's a pleasure to be here.

It's a pleasure to have you here. Now Grant you obviously span various industries but you do have a niche in the health care market. What got you interested in spending more time within the sector?

Yeah it's a great question though from my perspective my background predominately was telecommunications as I'm sure that you can tell from my accent or not native to the U.S. And so I work for a Brit British Telecom for a number of years and based on incapacities protoplasmic marketing operations etc. That kind of brought me over to U.S. had for a short period of time for AT&T so I always had up the networking event to why that rolled over the mid 2000s. I had the opportunity to work for a digital pioneer and digital and tech company and the connection really was that they were doing a lot with the SMS. they were building health information systems and in rural countries you know Eastern Africa, Indonesia, India. We are the general infrastructure wasn't mature. And so they were actually using cell phones and internet particular the method communicate and manage drug inventory. that built to those et cetera. And so that was the kind of connection you know this telecom background to digital health company that we've seen using communications as a primary means of channels. And really what got me into the digital space and then from that point on you know I've just been really fascinated with you know obviously the security aspect, the risk management aspect to be able to do that and what the chief operations officer and chief information security officer of digital health company and that is really what got me involved and you know conducting audits for you know some of the major peers, providers pharmaceutical organizations and really you know ultimately to recognize that our journey just Hoboken the security of supplies managers peacefully voice within this particular segment.

Super fascinating Grant and you've worn a lot of hats and you've seen the various scenarios that could happen and you've helped organizations plan for that have helped protect them against these these types of cyber attacks but also weaknesses in their own network. If you take a look at the entire arena of cyber security and health care what do you think is a hot topic that needs to be done on these leaders minds listening right now?

I think that people need to understand that the world we live in today particularly in health is very different. And what I mean by that is if you think that where the data are stored, you know 15 20 years ago most organizations which store data on prem they would use the basic perimeter security. And so to some degree you know whether this is correct or not they had this greater premise that can't fully protect that information using the only Caslen Mortell technologies. Well today with quote technology is all over, right. You know we no longer have a single copy of data. You know when you go to your provider or you work with your peer and they're interacting with a complete list of increasing list of vendors who are providing daily different services on. So that data that you providing them, the data defeated on your behalf isn't necessarily just sitting in their premise, they themselves may be using some that call based service to be so store data and then increasing number of their vendors are using call-based services to provide services to the organization. So when you think of that way you're very sensitive person dataset as you're interacting with any healthcare organization. You know it's no longer just sending one place. It's really. You know and that's really helped us aesthetically been exacerbated but that's the whole meaningful use that push to make sure that and health information digitized to make it more accessible. And the very nature of healthcare is that in order to provide services we want ease of access to that data. The providers, doctors, physicians, they all want you to access to manage the treatment of care to process payment etc.. And so we live in this world today where it literally can be anywhere. And so the question then becomes you know has the industry itself woken up to the dangers that we're seeing through the media. I mean breaches are occurring to accomplish the rise of which are just shortie practices. And so really I think people need to wake up decide that this is a much different environment in terms of how these organizations are managing data and really the onus on those organizations and the people using this onus is that this organization really should be asking much more stringent questions but how are these organizations adapting to this change and what additional steps will prevent measures are there to try and protect this more complex environment.

That's really insightful right. And as we think about data as it sits today to Grant's point it's no longer. It's with the customers vendors payers that we work with. Now everybody is using cloud-based technologies. So how do we get smart about protecting this information and grants really highlighting some things that we need to be focused on. Grant can you give us an example of how you and your organization have created results by doing things differently?

Absolutely. So I mean again part of the reason I got into this space is because when I look at organizations we're building the security programs and I look at the types of services that were available to those types of organizations there ar e various principles, right. Used to look at the market to specific ways those are am I gonna secure in my market and not very much the agent who wouldn't have an I.T. security where people want you to think that firewalls low gadgets solution becomes a very tech centric approach to security. Even our law a lot of data doesn't allow is ethically and software or applications that actually use it often is process or link it to you know ex employees so having access to information, people misposting information etc. So there's the aspect of you know how organization are prepared to that. And then there's the counter component called a compliance and so obviously everyone's familiar and most people familiar with that and there's a general assumption that because I think because it's written into federal law that these organizations are now doing a really good job at protecting into the legal they are supposed to. When actually what we may gonna do is this compliance programs to meet specific compliance requirements and then put the things together made them compliant to, being compliant doesn't necessarily make you secure these a lot of these regulations that they put me right and they're protected in different ways. So all of organizations have a successful plan. Compliance programs. But really what they're focused on doing is trying to meet those regulations that rather the security organization. I single battle of agendas have got really most these a regulations. They're not there for the sake of being there really they have to drive the organizations into the program. So some of the compliance programs that could almost say their original purpose was not to be a means to an end but to make sure these organizations are building a safer security. So what we do is we basically try and bring that together. We try and focus these organizations on building in a safe secure program. We will map to the compliance requirements. You can just me these objectives and then we think of a people-centric view to do that because again, we don't take up solution based perspective and technology security tools to just tools. We really try and map those across each individual within the organization, give them a score, help them understand who contributes to else huge portion of the organization and then give the organization that grows that tools for them the measure of course of organization what they are doing audit is more effective to secure their data but also match that to whoever stand the regulations that happened to as well.

Very insightful. Grant and just as we think about what we're doing within our business, the fact is if you're compliant doesn't necessarily mean you're you're secure. And I think this is this is something that I'm walking away with here Grant because I know a lot of friends that are running businesses and they think, hey you know I'm I'm I'm following the rules, I'm compliant but that doesn't necessarily mean you're safe. It doesn't necessarily mean you're secure and it sounds like what your company does is really helps them walk through not the compliance piece but the safety piece. And we have to consider them individually of each other.

Absolutely. And you know we use this expression you know everyone was familiar with the colander right. You can have a name. Yes you new go on there. And we talked to lots of companies talk about how robust and how firm and who are the colander them there, the security program actually is. But at the end of the day, a colander they get that shot. As you know less not for more has it was Colander is you have to be in place of their removal something basically basically protect more holistically across the organization. And I think that's the mistake of all organization of today are really more focused on how you I basically obey some base of security matters in my front door. But then forget that the fact that will met through the window if even a face where you go everybody has leveled at the cause. So it is a much broader approach.

That's interesting yeah and for the folks in Inmet devices saying a big reason why the FDA is pursuing the unique device identifier. There's been many cases of cyber security threats that happen through medical devices and so definitely on the radar of a lot of us in this space and Grant, Grant Elliott here is talking to us about some of the things that we should be keeping in mind. Again Grant Elliott is the founder and CEO of Ostendio, where they help folks with their cyber security risk management and compliance programs. Grant, I'm sure you've seen some ugly stuff out there. Can you tell us a story something that you saw. And what that customer or what you learned from this security breach?

Yeah I think that they can increase the price of the number of years I've been doing this is basically a little motivation there are for certain organizations the base with those in a data security program. A couple of years ago I remember speaking to an organization and there were smaller organizations that when I was talking to the principal organization and they were talking toys about how they can improve their security. And this particular organization actually ran a very simple EHR it looks when in health record that was heated that was calling at that point call-base that went through the conversation discovery I realized that he literally is running this thing on a server under his desk. We do the testing for the new server to know that's scary. And and but it's actually more common scenario than you might think. We speak to, the tools we speak too she's compliance officer BBC news organizations every other day. No we will leave them. Legally what they're supposed to do maintain the security program. You know I spoke, I had dinner, a few months back with the CIO of our major health system. I'm not going to mention the name but there are basically seven or eight though in the health system and this CIO told me that I read the information security wasn't on the top ten list the. Right. And so there as you know a huge gap in the motivation factor of organizations to do this because a lot of healthcare systems you know you go back to first principles. What is the motivation to do that. Why do we need to do this. And you know part of the challenge is we've seen major breaches to which we see pervasive breaches all the time. And the question is does that actually change people's behavior or will you stop going to health system because they've been in the media for having a major breach. Do you even know who your insurance providers is? I know that you know when the Visa card I didn't even realize that they would appear for the pervaded that We actually had so there's an open question what more the these organizations the doldrum more effective security program. And that's not to say they're not doing anything but there's no doubt that you know if you compare the stain about healthcare systems or the healthcare industry compared to other industries that financially ill, it lags significantly there's not necessarily enough broad support and pressure to an organization I'm looking even on the digital health space. Some of these I.T. services organizations that are growing with you know 10 20 30 40 50 million dollars worth of investment will be made in them. And we talk to them in the security program in place whatsoever. So as it I mean I think you know from our perspective the seal the the road that we see a lot of this kiddy stuff. And it is frustrating to was that we can persuade them to the advantage of a technology's error that really makes sense. But the flip side of that also there is well we work with many organizations that really embrace what we have to offer a message to try and provide the best service they can and this be a third they understand the business impact of having a breach and understand how that can. And so there's certainly not organizations out there doing the right thing. But you know my perspective is you know because we see it as a regular basis. There's way too many of there that really are motivated sufficiently to fill this program mortal interested to see rather than actually backed up by actions.

Grant This is really interesting and it just kind of you know again forces us to think about how the general economy works and how the healthcare economy works so differently. If you had to sum up a plan if you had a three step plan for the listeners that maybe don't know where to start. What is it that you would tell them. Quite simply like Look here's Step 1 2 and 3 what do they have to do?

So we have a simple analogy, right. You know I equate building a security program to it running a marathon right as an ongoing on exercise. Now the first step to running a marathon is not signingn up for marathon necessarily force you just got to earn a lot right. Right. It doesn't matter if you're running today in the street, it doesn't matter if you're going to go and sign up for a 5k. You just need to start running, Right. Because at the end of the day if you run a 5k first of the March and already kill. So we focus on this that it really doesn't matter. The biggest excuse is that we get why people are going to you know this without too small it's too early. But the reality is what you do is all relative the rest of the organization here a smaller organization your risk is relatively more and therefore what you have to do for the most part can be a little less. There is a exemptions but for the most part that's true. And so just start doing something or you know really focus on voting some very basic courses of seniors even though most. These procedures from the Web to basic training, training people regularly do security practices and really trying to identify some sort of framework measurable sounds like support seven thousand one hundred 171. There's loss of security standards equal training the Web to basically and map then just gradually the week that we will start voting our plan and just allocate more of a pain to year budget. a small amount senses that this is the organization to just focus on this so it really doesn't have to be a huge task it just has to be bold and it's part of your business process and you'll be amazed. Over the course of a week a month a year just how much progress we can make. So when that client comes down and suddenly says you were ready to buy your service that we just need to get through security or that it doesn't need to be a scale as perhaps otherwise may be if you really just started thinking and toting that said from day one.

Well I've got some great takeaways folks from Grant on how to get your cyber security up and running at its best and you to just take small steps. It's really a call to action. Grant What would you say one of your proudest moments here in the cyber security space in healthcare has been today?

As an organization we started off with the premise of you know I mentioned the other one that you know I was somewhat surprised how complex how difficult this was perceived to be by organizations and sadly by men and the stakeholders of the organization that are serving in this community. So we start with the simple premise that we wanted to make the ability to organize to be compliant and manage risk accessible and available to any organization regardless of size and resource. So you know if you're a small, 10 person staff or if you are a large organization. We wanted to make sure that we need that forces that are more accessible to everyone more cost effective. So for us, when we come across a company that is using our services reputation sales through an audit or we get a senior or an organization Rayno it is all good teams and it was 100 percent compliant. Why they go nails and we have partners coming back to their base saying to their ability for their clients has been significantly streamlined to our platform. I think those are the things that really help us get a read. I can confirm that we're on the right path and that we are actually you know obviously working towards achieving our original mission. So I did that for the most satisfying thing we have because that means it proves we're on the right track.

Absolutely. And how about an exciting project or focus that you're working on today?

Yes there's a lot of great stuff going on and said you know when we started voting our platform we decided to do a slightly different way than most server kind of tools in the space. One of the things that we do is unlike maybe a GRC tool or some sort of a risk management too we actually enroll everyone within the organization to our platform so everyone has interaction with that platform. Everyone can see how their contribution contributes to the overall security Porscher. And so we're transacting with tens of thousands of transactions across a platform for people taking training courses to completely audit its access abuse vendor reviews saying it ignores poesie so that's happening everyday within the organization and because we can map that to various different standards regulations, we can try again maybe to an organization that has to go through hydro in an organization. Is that too to or or with with that when we actually map the behavior of each of those organizations against that sort of framework. So we've actually started a project that we were actually looking to we'll see if I can map out the daily basis and I can literally take almost that the security to comply the any of a company and ability to direct that into some form of digital contract to basically use blockchainin a digital age to basically try and manage the organization. Should I work with certifying authority to comment if we can second the platform and the right way against ever free market that they will basically step decided yet long as we are tracking that rate lever behavior and that's going to get rent to that digital wager that would ultimately allow organizations. No Gozi their costumers and say, hey listen not only are we racing your barman against a free market. But we will actually contract with you and give you access to a digital ticket. We will build the penalties for failure to meet that security threshold and that would significantly streamline the whole order process. Again it makes competitive advantage today that the companies themselves because they can't differentiate themselves to the customers from customers that are simplified there's been divergent process along the paper trail. They don't necessarily have to conduct audits because again as being end of the tail and certified so we are really working to try and simplify our securities fighting say the phone from a contracting perspective. And again it all builds off the core functions that you have with their existing platforms today.

That's awesome. Grant sounds like you guys are really streamlining the approach and just tackling it. Killing two birds with one stone so to speak. It gets really exciting.

Yeah I mean from our perspective what we're really pleased with the progress. You know whenever you're coming out and you think of the end of doing something slightly different in a market, you obviously have been trained persuading people that you have a slightly better way. You know people have been doing a lot of this stuff long time right. And people tend to be slaught, they don't change. But again you know we also running a business right so we know we're not just an idea shop. So we have to do this and we have to evolve that we have to bring customers, bring in revenue we have to pay salaries. So as we continue to grow as we can be more successful we know have these opportunities to kind of take that original version and enhance it as I've discussed. And yes definitely. You know a really exciting journey of degree I'd love to see what we're going to be in five years seen by this time that you know we're within all our supply agreements through blockchain after digital contracts that would be an amazing place to be.

That's awesome. So getting close to the end here. Grant let's pretend you and I are building a leadership course in cyber security. It's the 101 with Grant Elliott on cyber security. So we are going to write out a syllabus and get your answers for brief questions. Be ready for it?

Absolutely.

All right Grant here we go. So what's the best way to improve healthcare cybersecurity?

I think the key thing to focus on whatever premise you're trying to over I mean as I said we sat with this premise of really trying to make cyber security compliance risk management affordable and accessible and achievable for any organization. And we come back to that mission statement on a regular basis because everything we're doing has to be basically support that. So we continue to validate that with customers with the father of the family. So just being really focused on what you're trying to do the long term vision I think is the best way forward.

What's the biggest mistake or pitfall to avoid?

Assuming that the service you prevailed in itself is actually going to make a difference. You know this is really true particularly within healthcare because if there's not an economic value to what you do if you can demonstrate an economic value, as long as it's going to pay for what you're going to do then it really doesn't matter who give an idea. Healthcare in particular to me because that whole concept they're saving lives including health really in the marketplaces setting rates. The concept of making money and that goes with any business you really have to validate not just do I have a good idea. As can I persuade people to pay me enough money to be with facily and promote the idea and that's fundamental to you know what we need to keep focused on and I think too many people too many organizations sometimes forget that Clinton called for the idea itself that there's not enough people in the market there's not enough people within the target area to be sufficiently money to make that reality?

How do you stay relevant despite constant change?

It's really listening to our customers and ourselves we have an expression that you listens to everything your customer the same thing today used to 95 percent a way because 95 percent is useless. The remaining 5 percent is essential. The kernel of knowledge you're going to get from that 5 percent is fundamental to being to keep your business on track because if you ignore that 5 percent then you're absolutely going to go off the rail and your going to go in a different direction. And you know as an organization, remaining focusing continually listen to your customers even though a lot of it's going to be so essential because that kernel within the 5% knowledge is absolutely key.

Awesome. What's the key area of focus that should drive your organization?

So we completely focus on platform as a source company platform because it everything. We will not be able to grow evolve and reinvest in Apple if we don't get it profitable. So there are lots of things that we would like to do most things that we think would be great. Customers who regularly come in and if we can do ABFC we really drive that to the point that do we believe that's going to drive profitable. And if we do then we'll basically consider it and it's not going to drive profitable and we can't. And that's fundamental because I think we don't really keep focused on that area of growth. And then it's very easy to be derailed and before you know what you're trying to be.

Grant, what's your favorite book?

Yeah. So I like to read, I like to read a lot. I really like reading all day biographies because it brings understanding how people love their and the lessons get and really for probably one of the books is the most fun and the need was Nelson Mandela, the autobiography a long walk for freedom. To me that kind of lessons from nothing really is just there to progress along and winding. Right. But human team belief in what you're trying to do if you can really just keep going through all the obstacles going to maybe soon and ultimately you can get really just a question of being really truly truly believing what we trying to teach. And you know and I think Nelson Mandela felt like a truly inspiring when you see someone from his background and education his formative experiences and someone you know in the middle of his life may just become this amazing civil rights leader you know eradicated.

That's super interesting Grant recommendation. And folks if you're curious about that book about the syllabus that we just put together on cybersecurity for you and all the show notes just go to outcomesrocket.health/elliott, E L L I O T T, you can find all that there along with a full transcript of what we've just discussed today. Grant, Before we conclude I'd love if you could just share a closing thought and then the best place for the listeners to get in touch with you for more information.

Absolutely. Yeah I guess from a from opposing perspective you know the journey we've been on all of them devote five years ago. And you know it really has been an incredible an amazing journey. And we definitely appreciate the customers we have and all the prospects we talk to and from me, the biggest part of this is basically the team that we've been able to build here and the owners. There's some amazingly talented people we have on board that has made all this responsible. And if people want to learn more about our journey, learn more about this and you know feel free to go to Ostendio.com, our Web site. There's lots of great information, resources about cyber security compliance, framework and if you want to tweet me they can do so @Ostendio_CEO and you can see my marketing team and they gave me my source of handbook for the future rather than give it my name. So @Ostendio_CEO. Yes feel free to tweet.

That's awesome Grant. Hey listen this has been fun. I know that you dropped some major nuggets of wisdom here on all of us and we'll be walking away with some good calls to action but ultimately start small start now and looking forward to staying in touch with the Grant.

Great stuff, it's been a pleasure Saul. Thanks very much for inviting.

Hey Outcomes Rocket friends, thanks for tuning in to the podcast once again. As a leader in health care, you have big ideas great products, a story to tell, and are looking for ways to improve your reach and scale your business. However there's one tiny problem. Health care is tough to navigate and the typical sales cycle is low. That's why you should consider starting your own podcast as part of your sales and marketing strategy. At the Outcomes Rocket, I've been able to reach thousands of people every single month that I wouldn't have otherwise been able to reach if I had not started my podcast. Having this organic reach enables me to get the feedback necessary to create a podcast that delivers value that you are looking for. And the same thing goes if you start a podcast for what you could learn from your customers. The best thing about podcasting in healthcare is that we are currently at the ground level, meaning that the number of people in healthcare listening to podcasts is small but growing rapidly. I put together a free checklist for you to check out the steps on what it takes to create your own podcast. You could find that at outcomesrocket.health/podcast. Check it out today and find a new way to leverage the sales, marketing and outcomes of your business. That's outcomesrocket.health/podcast.

Automatically convert audio to text with Sonix

 

Recommended Book:

Long Walk To Freedom: The Autobiography of Nelson Mandela

Best Way to Contact Grant:

LinkedIn: Grant Elliott

Twitter: @Ostendio_CEO

Mentioned Link:

Ostendio, Inc.

Episode Sponsor: