In this episode of the Outcomes Rocket, we are privileged to feature Brad Marsh, Executive Vice President of Informatics at First Health Advisory. First Health is a leading risk management and digital transformation consulting firm dedicated to serving healthcare security, privacy, and IT orchestration and efficiency needs.
Brad shares his inspiration in healthcare. He discusses how First adds value to healthcare by showing all the connected assets on your hospital or health care delivery organization network and recommends mitigations to cybersecurity vulnerabilities without impacting the clinical posture. He explains how they empower clinicians to become more proficient in cybersecurity. Brad also shares his setbacks and the opportunities that will come out of post-pandemic.
About Brad Marsh
Brad Marsh is the Executive Vice President of Informatics at First Health Advisory. He is a U.S. Army retiree with more than 20 years of service. Brad began his career as an Air and Missile Defense Officer, and he gained technical and tactical leadership capabilities in complex environments, including a deployment to Mosul, Iraq. He then returned to school to become a registered nurse in 2011 and transitioned to the Army Nurse Corps, carrying for both Department of Defense and Veterans Affairs beneficiaries. In 2015, Brad was selected to attend the National Defense University and graduated with a master’s in Cyber Leadership, using his background in both medicine and technology. At the strategic, operational, and tactical levels, he became directly involved in the DOD’s modernized electronic health record deployment. His military career culminated as the Deputy Chief Medical Informatics Officer of the federal EHR modernization.
Advancing Secure and Efficient Healthcare with Brad Marsh EVP Informatics at First Health Advisory: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Saul Marquez:
Hey everybody! Saul Marquez here, and welcome back to the Outcomes Rocket. Today, I have the privilege of hosting Brad Marsh on the podcast. He’s the Executive Vice President of Informatics at First Health Advisory. He is a U.S. Army retiree with more than 20 years of service. His military career was split between two areas of concentration, but his decade in each helped him develop a unique perspective. Brad began his career as an Air and Missile Defense Officer, and he gained technical and tactical leadership capabilities in complex environments, including a deployment to Mosul, Iraq. He then returned to school to become a registered nurse in 2011 and transitioned to the Army Nurse Corps, carrying for both Department of Defense and Veterans Affairs beneficiaries. In 2015, Brad was selected to attend the National Defense University and graduated with a master’s in Cyber Leadership, using his background in both medicine and technology. He became directly involved at the strategic, operational and tactical levels for the DOD’s modernized electronic health record deployment. His military career culminated as the Deputy Chief Medical Informatics Officer of the federal EHR modernization. Just an amazing person and a great leader in health care. I want to welcome you to the podcast, Brad.
Brad Marsh:
Saul, thank you very much for having me.
Saul Marquez:
It’s a pleasure to have you here, and I’m excited to dig into the experience you’ve had and some of the insights that we’re going to share with the listeners today. So to kick things off, Brad, I love to hear why health care and you know what inspires your work in health care?
Brad Marsh:
I started as an EMT Basic at the University of Dayton. They have a student run ambulance service and they saw something in me and offered me a position and paid for me to become an EMT basic. That’s when I got a taste of the life and really enjoyed it. I then continued while being an ROTC cadet and a full time college student, I became a part time firefighter and spent a lot of time taking care of people and really enjoyed it. Unfortunately, my time being a firefighter superseded that of my education at times, and I was given an assignment that was not in the medical field. As you said, I was an air and missile defender, but I always kept coming back to medicine. I was a volunteer EMT out in Steilacoom, Washington. And then as I was working at Ohio State University Army ROTC as a Instructor and Admissions Officer, I got a call from our brigade nurse counselor who said, hey, there’s a job opportunity to become a nurse in the army, and I could not pass that up. And so it was I became a med surge nurse. I learned palliative care. I learned medical, surgical. The army selected me to become an ER nurse, and it was through all of this I spent time really getting to take care of patients, critical thinking, working with the providers and the ancillary care and just really seeing how it all came together. And that’s what kept me in health care. The adventures of two masscal events in my life pushed me into health care informatics, and that was really the second Fort Hood shooting where we had to pass patients over to a civilian hospital and it took longer than it should have. And so I absolutely had a drive to make sure it was right. And so I’ve really enjoyed being an active part of this and to help the DOD and VA both come together and advance health care.
Saul Marquez:
Well, that’s fantastic, Brad. I mean, your background is so interesting and varied. You know, we on the podcast were about to actually launch a 12-part series around the amazing role of nurses in innovation and leadership in health care. And I’m so glad that you’re here. Another example, right, of how nurses are just crushing it in health care. You just did so much with what you had and you finished your stint there in the military as the Chief Medical Information Officer. I mean, that’s just fantastic. And so fast forward to today your work at First. So talk to us about that and how First is adding value to the health care ecosystem.
Brad Marsh:
So, you know, as you pointed out, culminating as the deputy CMIO at the firm and being the army’s really only cyber nurse, a nurse with a cyber degree, you don’t find many of those. I would sit in meetings and listen to how people talked about cybersecurity. And you know, I would watch the clinicians glaze over as the cyber geeks would get doing their thing. And then when the clinicians were speaking and talking about patient safety, the cyber people would glaze over. And I saw this over and over and over again. And it was through my relationship as a member of CHIME, the College for Health Care Information Management Executives that I met the company First Health Advisory. The CEO, Carter Groom and I became friends over time because I would always argue, and the argument was always because how are you incorporating the health care providers, the nurses, the people at the bedside? How are we really getting to that point with these medical devices? And he would always be interested in our conversations, and we’d sit and talk time and time again at multiple forums. And so when they offered me a job, it was a case of we want you to help us get to those clinicians, to talk to them. First Health Advisory I joke with Carter that our tagline should be See First, Understand First, Act Decisively, a saying that we used to use in Iraq for my unit, the 1st Brigade 25th Infantry. And its First brings value because they can show you the connected assets, they can show you everything on your network. But more than that, they understand where the information is going. They can apply contextual information to it and then advise how to improve your cyber security posture without impacting your clinical posture. And so, as the EVP of Informatics, it’s my job. I can understand the security framework. I can understand special publication 800-53 provision five. I can get involved. And as they recommend mitigations to these cybersecurity vulnerabilities or CVE’s out there, I can then bring this is going to impact health care thus and so, and that’s what we’re trying to do is we’re trying to bring those people to the table. When we go into a health care facility, that’s part of my job is to go out and grab those clinicians and bring them to the table to inform them of how this is going to go. Because the days of us being siloed into biomed and I.T. and clinicians and neither the three shall speak are over. As a nurse at the bedside, I am physically interacting with my bedside monitor, the vent and the IV pump. These things are all drawing an IP address. They are all doing something. You cannot treat an IV pump like a programmable logic controller. You cannot just lock out certain functions because you could then jeopardize the safety of a patient. That’s where having a nurse and the ability to discuss it with both the manufacturers and the clinicians and the cybersecurity professionals. That’s where we get a holistic view. And so at First, that’s what we’re providing is really that cybersecurity with clinical impact capability.
Saul Marquez:
Love it. Yeah, yeah. And you know, it speaks to the understanding that you bring to the table as an informed assist, as a nurse to the workflows, the nuances that could potentially be bad, you know, if interrupted. And on the other hand, you could be coming in with a cybersecurity only perspective and miss a lot of opportunities to just continue that care, providing that care in a good way. And so I love the synopsis that you’ve given. I also love your your motto. Was it see first, understand first, act decisively?
Brad Marsh:
That’s correct.
Saul Marquez:
I love it. I mean, I just love that. It’s a great summary that can be applied to the day-to-day in Iraq, but also in the front lines of care and protecting the organization. So talk to us a little bit about how you guys do what you do and how you do it differently in terms of an example.
Brad Marsh:
Well, a lot of what we do is there’s a lot of an initial on-boarding discussion where we talk with the client and we have interviews. But the interviews are not just at that C-suite level. The interviews are full spectrum. And then we focus on areas that show vulnerability. We partner with a multitude of vendors to do inventory of the connected assets and then we put logic behind it. A lot of people will come to you and sell you a device to listen. They’ll charge you a bunch of money. You’ll install it and then they’ll say, Thank you, have a great day and they’ll walk away. First is that connected asset management over time. We come in and say, ok, we’re not only going to put this in, but we’re going to help you contextualize the information. We are going to then help you understand the impacts. And again, that’s where I come in and we start to look at, OK, we’re going to put this mitigation. And clinically, what is the impact? So really, it’s that contextualization and really bringing you back. Are we doing what is best commercially, best practice? So are we following the next framework? If so, how are your controls mapping to that? What are your policies? How do they get actually implemented? It’s a great thing. Anybody can write a policy. It can get stored on a SharePoint or a shared drive. And if nobody actually understands it, we fail. The attack surface area, everybody knows that’s anything that draws an IP address can be attacked. Ok, fine. It’s not your cybersecurity person that is going to be there when it starts to act funky, quote unquote. It’s going to be a clinician. It is going to be a technician. It is going to be an end user that says, Wait a minute, that doesn’t look right. The other thing we do is we come in and we help educate. We are bringing the education to the endpoint so that the users are seeing this and they know when something doesn’t look right, who you’re going to call and you’re going to call somebody that can see, understand, and act. And that’s what we provided.
Saul Marquez:
Love it. Yeah. And you know, you’ve outlined a cookie cutter scenario, right? This is what happens every single time.
Brad Marsh:
Hmm. And it’s repeated time and time again. And as long as we start to empower our clinicians further out, we extend our perimeter. I like to use the analogy when we saw infection rates and realized that it was due to hand-washing. We just started teaching scrub in, scrub out. Did we teach them how to do their daily shower? Did we teach them how to use soap at home? No, because as part of their culture. So now we added scrub in and scrub out, so it was adding to their already existing culture. If you look at cybersecurity, cybersecurity is not part of the at-home culture. It is not part of everybody’s daily life. You’ll talk to anybody on the street and they’ll say, well, this company already has all the information anyway, so it doesn’t matter. When we start to relate to the end users how cybersecurity is important in their personal lives and how they build in to their personal cybersecurity posture, now we can add on it when they come in the hospital. For the last at least since 2009, cybersecurity was just a hindrance. It wasn’t part of their culture, and so that’s really, again, those engagements finding out what is the average person’s experience with cybersecurity. How do they take it? Is it more of a barrier or is it more a facilitator of their work? And then working through those relationships and the education sessions and the training and to really help the security program grow and mature over time? That’s how we’re going to make health care cybersecurity better for the entire industry. One only need to read the health care industry cybersecurity task force report to Congress that was published round about 2017. I helped contribute to that in a few chapters with the the task force, and it’s ubiquitous that there is a lack of understanding outside the hospital, and so we need to make sure that we spread that knowledge wide and far.
Saul Marquez:
Yeah. Well, you know, I think it’s important that we partner with businesses like First that have seen what could go wrong and the the opportunities to make things smooth and better as quickly as possible without compromising operations, without compromising clinical care. All these things are super important. And so do you have any particular examples, Brad, that that maybe you want to point to where you guys have have improved outcomes or maybe business processes?
Brad Marsh:
Well, I can’t go into specifics, obviously, because we do believe in confidentiality. We have seen time and again that the policies that are developed by the CSO usually stay in the CSO’s realm and they they aren’t promulgated through the departments. Being able to create actionable use of those policies and procedures make it important to the end users. Outcomes are different for every client because every client has a little bit different situation. We have to be able to meet the client where they are at. It’s so funny to me as a health care provider or a clinician is watching health care cybersecurity mature since really the big boom of meaningful use was to see that they just started getting these things and they didn’t really secure them. And so they started security in their stovepipe. The biggest thing is this is health care. So treat it like a sick patient. Meet the patient where they’re at. If a patient comes to me extremely obese with type two diabetes and multiple other things going on, I can’t tell them to immediately achieve X, Y and Z. They can’t. They cannot lose the weight within a few days. That’s not safe. We cannot get them to lower their A1C unless we take the steps. We all have that vision of where we want to go. That’s your strategic vision for your organization, that you want to align to. Treat it like health care. Cybersecurity is the exact same way. We have a sick patient that we need to get better. The outcome you base it on your strategic vision and then how are you going to get there? That’s your treatment plan. This is just health care, and our patient is our networks and our connected medical devices.
Saul Marquez:
Yeah, that’s a good way to put it. With that approach, you do what you can to eliminate the threats and strengthen the defenses of the system, all while preserving the workflow. What would you say is one of the biggest setbacks you’ve experienced, Brad and a key learning that came out of it?
Brad Marsh:
Honestly, my setback would have been my own personal point, and that was not related to my job. I am blessed beyond belief to work for such an awesome company and to have had a 20 year career with the military. But it was that first degree. It was that learning of time management and really understanding I have to do the hard stuff to get to the good stuff.
Saul Marquez:
Yeah.
Brad Marsh:
And and to balance my time out, I enjoyed being a firefighter. I enjoyed being an EMT and taking care of people and being where the action was happening. The biggest setback, I had many failures in that and it did teach me to be resilient and I keep going back to that resiliency every time I have. I run into challenges in my career and everything else. It’s OK. You pick yourself back up and you take a step in the right direction. And really, I’ve carried that forward into my career because yes, if you have a hospital that gets breached, that is bad and we need to make sure we take care of the patients and we need to make sure we take care of the data and we deal with the repercussions. But that does not mean it’s the end of the road. That means it’s a great learning opportunity. We need to pick up and we need to move forward. We’re constantly learning. If you’re not constantly learning, you have failed yourself in the future.
Saul Marquez:
It’s a good message, you know, and and it sounds like it’s something that happened to you early on that made an impact, and you’ve been able to to build on that sense, and so you’re at this point now where you’re making a big difference for, is it largely hospitals that you guys work with?
Brad Marsh:
Yes. Hospitals and other health care delivery organizations.
Saul Marquez:
Yeah. So hospitals, long term care centers, nursing homes, et cetera, right? So you’re here now and you’re making a difference for all these providers through their cybersecurity. You’ve got this super unique perspective with your nursing degree, and you basically planted the seeds of the EHR at the VA along with your colleagues there. There’s just a lot of rich knowledge that you have, you know, and the backdrop of COVID happened, and we’ve seen a lot of change. What are you most excited about?
Brad Marsh:
Honestly, COVID pushed everybody to their max and it is challenged health care systems. It has challenged IT systems, it’s challenged people. I’m excited that we’re moving forward and we’re getting vaccinated. And really one of the proudest moments of my career was when Cerner was able to utilize something that was custom to the Department of Defense that we developed before COVID and we had perfected the workflow was the mass vaccination module. And when COVID happened, the DOD participated just like every other customer in their COVID council. And I said, Hey, guys, we have this tool we’ve worked on for the past few years. I think it can work for COVID and it was utilized across the world and really to see the work that the United States Department of Defense developed and paid for and really collaborated with Cerner to be able to spread part of the solution to this. I was super proud of that and super excited to see it. But more importantly, I’m seeing more telehealth, I’m seeing more connected assets and I’m seeing more people asking it, starting to at least ask What’s important? How do we get this to secure? How do we make sure we can take care of everybody as best we can, but do it in a safe and secure manner? And so honestly, I think right now I’m excited for the opportunities that are come that are going to come out of the post-pandemic period. I think you’re going to see something similar to the Renaissance in that we are going to utilize things in a different way than we ever thought possible. And so absolutely, I see it’s coming and I see us being able to adapt and overcome just as we’ve done for the last year in a hellacious environment.
Saul Marquez:
Yeah, well said. Well, said Brad. There’s a lot to be excited about in the virtual care environment. And, you know, with the increase in virtual care and digital health, there’s an increase in need and also a threat in cybersecurity. So there’s never been a greater opportunity. And I would argue there’s also never been as much of a great threat to increase those access points into into the system. So consider your options carefully, folks, when you’re making these moves, and it certainly does help to have an organization such as first with, you know, clinicians like Brad and their expertise in the workflows to help you through these things. I mean, there’s you can’t be expected to know everything. And so, Brad, this has been fun. I’ve really enjoyed our time together. Why don’t you leave us with the closing thought? What should we be thinking about as this podcast finishes? And then if anybody’s interested in reaching out to you, what’s the best way that they could reach out to you or the folks at the company?
Brad Marsh:
So parting thoughts. If you have a cardiac problem, you go to a cardiologist. If you have a lung problem, you go to a pulmonologist. If you have a cybersecurity problem, you should go to the cybersecurity experts, those that know the signs and the symptoms and the treatments to best take care of you. We do it in health care. Why not do it for your cybersecurity and to get a hold of me? bmarsh@firsthealthadvisory or go to the first health advisory. We have a web presence there and we have methods for you to communicate with all of our team and to reach out and find us. It’s absolutely important and critical that you know how to take care of your situation and getting help is the first way. The last thing I would say also Saul. Run your virus checks, update it. Make sure your systems are up to date patched even at home. You don’t want your personal information being stolen. You don’t want to lose it to anybody else, so that’s what I’d recommend.
Saul Marquez:
So love it, Brad. Very practical advice, and we thank you for it. We thank you for your service, and we thank you for for the insights you shared with us. Thanks so much for spending time with us today, Brad.
Brad Marsh:
Thank you. So it’s my honor to serve.
Sonix has many features that you’d love including automated translation, share transcripts, transcribe multiple languages, world-class support, and easily transcribe your Zoom meetings. Try Sonix for free today.
Things You’ll Learn
Resources