Outcomes Rocket_Greg Garcia: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Saul Marquez:
Hey, everybody! Saul Marquez with the Outcomes Rocket, thank you so much for tuning in again today. I don’t know if you guys know this but October is cybersecurity awareness month and since 2004 the President of the United States and Congress have declared October to be Cybersecurity Awareness Month, really to help individuals protect themselves online as threats to technology and confidential data become more commonplace. We’ve got this month on cybersecurity awareness, and I’m so lucky to have Greg Garcia join us on this first of ten podcasts on cybersecurity and the things that are working in the sector. So let me tell you a little bit about Greg. He’s the executive director for Cybersecurity of the Health Sector Coordinating Council, the convening organization for Critical Healthcare Infrastructure, organizations that are working in partnership with HHS and other government agencies to protect the security and resilience of the sector. Patient safety and public health is where we’re focused here. Greg was the nation’s first DHS assistant secretary for cybersecurity and communications under President George W Bush in 2006 to 2009, where, among the other achievements he initiated, the creation of the National Cyber and Communications Integration Center, also known as NCCIC. He served as executive director for the Financial Services Sector Coordinating Council, set up the IT Sector Coordinating Council, and held several executive positions with Bank of America, 3Com Corporation, and Information Technology Association of America. Greg also served as professional staff on the Committee of Science in the US House of Representatives, where he helped draft and shepherd the enactment of the Cybersecurity Research and Development Act of 2002. So we are with an expert in this space and he’s done so much already in the healthcare space with cybersecurity. So with that, I want to welcome you, Greg, to the first podcast.
Greg Garcia:
Thanks, Saul, it’s great to be here.
Saul Marquez:
Man, such a pleasure, and we have so much to cover in this series, and I’m so fortunate to be here with you to kick us off. Can you share more about the Cybersecurity Health Coordinating Council, Greg, to help us learn more?
Greg Garcia:
You bet, your listeners are thinking, Oh, there’s a financial sector coordinating council, there’s an I.T. sector. What is this? The Sector Coordinating Council is kind of a generic term that represents industry organizations around critical infrastructure protection. Back in 1998, there was a presidential executive order, and since then several more that have updated that executive order, and it just basically recognizes we have these critical industry sectors in the country that we depend upon, whether it’s financial services or I.T. or healthcare or electricity or telecommunications, water, and transportation, and these critical sectors in serving the public also face a number of systemic threats to our ability to serve the public, whether they are physical threats like flooding from hurricanes, or wildfires, earthquakes, or manmade threats like terrorism or cyber attack. And it’s the notion that these industry sectors, we are the primary owners and operators of these critical services and assets, and we need to organize ourselves around identifying and mitigating these systemic threats and to do it together but also to do it with the government. So I mentioned this executive order, what it did is set up a public-private partnership, industry, and government working together with the understanding that market forces alone aren’t going to solve complex, ever-evolving challenges like cybersecurity and regulation alone isn’t going to solve these problems, so it needs to be addressed in a more collaborative and resilient way. It doesn’t mean that regulation goes away, but it means that we try to build more common understanding, joint initiatives, it’s a shared challenge and therefore a shared responsibility. So the Health Sector Coordinating Council and specifically our Cybersecurity Working group is addressing that challenge. We now have about 370 organizational members from industry, a dozen or so government members, including Health and Human Services, the Veterans Administration, Department of Homeland Security, and others, and we are organized around developing a number of different cybersecurity, best practices, guidance documents, what have you on various specific civic cybersecurity functions of importance to the healthcare sector. So we are developing these resources by the sector for the sector with the hope that we are going to raise the bar across the ecosystem and just over time improve the cybersecurity, cybersecurity, and resiliency of the sector.
Saul Marquez:
Well, that’s fantastic, Greg, and would love to hear more about key initiatives that you guys are up to. But, you know, before we go there, I mean, you have such a wealth of knowledge in this space. What is it that motivated you to get into cybersecurity?
Greg Garcia:
You know, you talk to a lot of cybersecurity people and a lot of them are going to say they just fell into it. They came in through the side door not knowing that’s where they were headed. But, you know, early in my career, I was involved in that intersection between economic security and national security through a variety of policy issues, and cybersecurity was one of them. And I’ve always been motivated by generally that intersection between business and government that, you know, some of our essential businesses are essential critical infrastructures. If we are critical infrastructure, we are providing a public service. If we’re providing a public service, we are public servants, and I’ve always been motivated by that. I’ve always felt to be a public servant, whether I am in government or whether I am in industry and cybersecurity is one of those, it’s one of those issues that is not political. And, you know, I’m in D.C., I’ve been in D.C. all my career. There’s so many political issues, policy issues that will go one way or the other because of politics. But for the most part, that’s not the case in cybersecurity. It is a bipartisan, nonpartisan issue. It affects everybody equally. The difference is in healthcare, it doesn’t affect healthcare equally. Actually, people can die because of result, because of cyber attacks, and so we have to be mindful of that. And so we have one of our key slogan, it’s not a slogan, it’s the truth, for a National Cybersecurity Awareness Month and all year round is that patient safety requires cyber safety, so that’s what I’m motivated by.
Saul Marquez:
That’s awesome, Greg, I love that. I’m glad you’re at the head of this organization because your passion for it shines brightly and healthcare is critical infrastructure and everybody listening to this episode cares. What does it mean to healthcare organizations and the government? Healthcare is critical infrastructure.
Greg Garcia:
It means that, first of all, there is a definition of critical infrastructure in the US Patriot Act from 2002, and that definition is echoed throughout various other policy documents, and I’ll paraphrase that it is basically, critical infrastructure consists of those assets and services that the public depends upon for our economic security, our homeland security, our national security, and our public health and safety, and it is those assets and services that the public depends on us, the owners and operators, to restore in the event that they are significantly disrupted by any kind of a threat or incident, again, whether physical or manmade like cyber attacks. So that is what critical infrastructure is, and it is often, if you think about some of the major critical infrastructure industries, you think, well, if one of them goes down, goes down in a catastrophic way, a major cyberattack that halts operations in a major bank or a major multi-state hospital system, well, that’s going to have ripple effects throughout the ecosystem and throughout the supply chain. And you only need to look at the implications of the COVID pandemic and what that did to the supply chain where the healthcare industry, be in critical infrastructure, suddenly we are having difficulty getting those key elements that go into pharmaceutical ingredients or PPEs, protective equipment, like masks and latex gloves, that is a palpable example that everybody felt as to how when critical infrastructure is affected by a significant incident, everybody will suffer.
Saul Marquez:
Yeah, no, that’s fantastic, Greg, thank you for explaining that to us. See yourself in cyber, it’s the theme of the month and it gets down to the idea that cybersecurity starts with people, and everybody listening to this podcast today, if you’re not thinking about it, it’s time to think about what you can do for your organization in cybersecurity. And so, by the way, I want to share with you guys that Greg and his team have done so much already. You don’t have to reinvent the wheel. Greg, can you share what’s been one of the biggest milestones of your work on cybersecurity thus far?
Greg Garcia:
You bet, before I go there, though, you know, you mentioned cybersecurity starts with people. I just want to pick up on that point because you also gave my bio. And so one of the defining phases in my career was being the assistant secretary for cybersecurity at the Department of Homeland Security, and this was back in 2006, ’07, ’08, ’09 when cybersecurity still was not very much in the consciousness of the average people out there who are not cyber geeks, right, it starts with people. And one of the things I did, and I think it was the 2008 National Cyber Awareness Month, is my people at DHS put me on what my PR guy called a national media tour, meaning I woke up at four, got into a TV studio at five, and from five until nine or ten in the morning, I was beamed to probably two dozen local news stations where mothers are feeding their children, getting them ready for school. And it was about National Cybersecurity Awareness Month, and I typically had anywhere from 70 to 90 seconds on a short segment of the local news. And, you know, one of the reporters from I don’t know, let’s just say it was from Houston, So, Mr. Garcia, so, tell us, what is cybersecurity? And so I had 20 seconds to try to distill the complexity of this topic and try to get get the point across to people just going to work every day that they actually do have a little bit of responsibility too, it isn’t just the I.T. person’s job. So the point of that is to say that I think we’ve come a long way in terms of general public awareness of this shared challenge and the shared responsibility right down to the parents getting their children ready for work. So I’ll stop there, but I think that was just that was very instructive about how far we’ve come over the past, jeez, 15 years now. So your question about what are some of the major initiatives we’re working on? You know, healthcare is multifaceted. I mean, think about healthcare, of course, it’s, there’s multiple different subsectors. We have the direct patient care, you know, the hospital systems and the clinics. We have medical device manufacturers. We have pharmaceutical companies, labs, and blood. We have health I.T., we have plans and payers and we have public health, and so all of them form kind of an ecosystem. So we’re trying to address those cybersecurity issues that are cross-cutting, that have relevance to two, three, or more of those subsectors so that we can actually collaborate and understand all the interdependencies, interconnection points along the value chain of healthcare. So one particularly interesting and ongoing issue is, how do we deal with medical devices. There is a lot of very expensive, very large medical devices, CT scans, MRIs, whatever, that were built and designed many years ago without cybersecurity in mind because it wasn’t much of a problem in the healthcare sector 20 years ago. And how do we deal with those devices and now new devices that are being built and designed? How do we design and build cybersecurity into medical devices from the beginning? And how do we manage the cybersecurity of aging medical devices as they age in the clinical environment? And it becomes a question of who has accountability, who has responsibility, the medical device maker, the health delivery organization, again, a shared challenge and a shared responsibility. How do we mature the industry so that medical devices deployed in a clinical environment don’t become a vector for a cyber attack, either that it becomes the conduit for a cyber attack throughout the rest of the hospital network system or the device or fleet of devices itself become victim to a cyber attack such that they either stop working or they stop working correctly and are corrupted to deliver the wrong dose or to show the wrong readings if it’s diagnostic? Very scary stuff, fortunately, there has not been reported instances of any significant patient harm because of medical devices being hacked. But as cybersecurity professionals, you’re paid to be paranoid, so we think about the prospects and try to plug the gaps.
Saul Marquez:
Yeah, you know, Greg, that’s really well said, and how do we contextualize the problem in dollars or in impact, like annually? How big is this challenge?
Greg Garcia:
You know, the dollars, the dollar number has changed depending on which vendor or which study is doing a survey and trying to quantify it. The most palpable way to think about it is we attend an annual summit, an annual meeting called Cyber Med, and during that summit they stage a simulation. So medical students go through, I guess, third year and beyond, go through simulations where they are observed responding to an emergency situation which was unexpected, where they have to make decisions based on their education and on their instinct, and in this case, an actor is wheeled into an operating room having suffered a stroke. And again, it’s a simulation and the med student has to put the stroke victim through a CT scan to determine whether the stroke was because of a brain hemorrhage or a clot. Well, in this simulation, the CT scan was hacked so that the image was taken, but it wasn’t returned so that the med student had no indication of whether it was a clot or a hemorrhage. The decision on what treatment you’re going to give that patient without that information, if you give a blood thinner thinking it’s a blood clot and it actually was a hemorrhage, you will kill the patient, and so this is what we observed. So that is a palpable example, and this comes back to patient safety requires cyber safety, but there are any number of other measures. You can go to the Office for Civil Rights at HHS, which enforces the HIPAA regulations. If an entity gets breached, they have to report it to HIPAA, and HIPAA compiles the number of breaches across the sector, and what the reason was, and what the cost was, and it varies all over the place, but some hospital systems have suffered tens of millions of dollars because of, for example, ransomware attack. And it’s not just the dollars, it’s the reputation, it’s staff morale, it is regulatory and compliance jeopardy, it’s class action lawsuits, and of course, it’s patient safety. So cybersecurity has a number of impacts on organizations beyond financial that the C-suite needs to be mindful of.
Saul Marquez:
Love it, thank you, and you know, you’ve been doing this before cybersecurity was even a thing.
Greg Garcia:
So I was cyber before cyber was cool.
Saul Marquez:
That’s right, that’s right. Greg, what would you say has been one of the most surprising findings you’ve uncovered since then?
Greg Garcia:
Surprising, I would say that, first of all, the most, I would say inspiring, is the way this sector has come together. When I came in, I mentioned the medical device issue, there was significant tension between the device manufacturers and the hospital systems about who’s responsible and who’s to blame and how do you improve the situation through this organization. We’ve brought them together in a more collaborative rather than recriminating roundtable to get them to listen to one another and understand their respective business models and what their pain points are and what their incentives are, what their motivations are, and there’s been a lot of mutual understanding that has been engendered because of this. So I wouldn’t say that’s surprising when you get thoughtful, rational people together, but it is inspiring. Yeah, I guess if I could say what really has surprised me, I mean, personally, it is the extent to which healthcare cybersecurity can affect each one of us personally, whether we are a patient or whether we are a clinician, or whether we are a cyber professional. We’ve heard testimonials from patients who have a pacemaker or patients who have a glucose monitor, and they are also hackers, that one surprised me. There was one fellow at a workshop that FDA was hosting, and I believe he has a glucose monitor, and he said, let me see if I can hack it. It’s a glucose monitor that’s attached to his body. And he could hack something, and it, and I might be misstating it, but he took it to the point, just to the edge of causing him self harm to see if he could do that, and he did. He didn’t cause himself harm, but he was able to find where vulnerabilities exist in this very basically simple device. It’s, it takes readings and it opens and closes to deliver a bolus of insulin. And the same with pacemakers, not complex devices. And so in the same with the patient, the hacker patient who had a pacemaker, and she’s been quite public about that. And so what are their expectations and how do they deal with the constant reminder that they have something in their body that can be hacked? Just like the fictional vice president in the TV show where his pacemaker was offed by a cyberattack. So I guess that was surprising to me that somebody that close to healthcare cybersecurity is both a hacker and a patient.
Saul Marquez:
Yeah that is, and pushing the envelope there opened up those vulnerabilities and made us more aware and now a lot of companies, your group are working to really bridge those gaps in security. So we’re going to cover a lot of things on this podcast series, Greg, and so you want to give the listeners a sneak peek on what we’re going to cover on the coming interviews?
Greg Garcia:
You bet, well, what the Sector Coordinating Council has done over the past four years is develop a whole series of, I think I mentioned this before, a whole series of publications, recommendations, best practices, and we’re going to go through a lot of those with our listeners. I’ve mentioned medical device security, but we’re going to talk about supply chain management. How do you be sure that your vendors are doing the right thing? How do you deal with an incident once an attack has finally happened? How, as an organization, do you deal with that? We also want to talk about telemedicine and other forms of healthcare delivery. My goodness, the list goes on, so I really urge your listeners to come back for the next one, and we’re going to walk through some of those best practices for you, and you can check them all out on our website at HealthSectorCouncil.org under recommendations.
Saul Marquez:
That’s fantastic Greg, and folks, yeah, it’s going to be, I mean, just an exciting series with Greg and his team. So excited to have you all check all of those out on this amazing month, Cybersecurity Awareness Month of October. Greg can’t thank you enough for the partnership to put this amazing content together for our listeners. What closing thought would you leave everybody with and what’s the best place for them to get in touch with you or follow your work?
Greg Garcia:
Absolutely, closing thought: look, here’s the principle for what we do in the Sector Coordinating Council, is that none of us individually is as smart as all of us collectively. And that is an essential principle for when critical infrastructure gets together or any group gets together to be, to protect themselves. It’s like a neighborhood watch. The competitive equities are set aside because there’s a lot of competitors in this organization. We recognize that the biggest competitor is the cyber adversary. So we proceed with a principle articulated by the national cyber director, Chris Inglis, that in order to beat one of us, you have to beat all of us. So that’s my closing statement, and if you want to get in touch with me, you can go to HealthSectorCouncil.org. That is our website, all the information is there, there’s a contact page, and I urge you all to, for those of you who are healthcare organizations, get involved. We need your help and we need to help spread the word so that we can raise the bar of cybersecurity across the ecosystem from large to medium to small organizations. So you all are critical in that endeavor.
Saul Marquez:
Greg can’t thank you enough for kicking off this series and for the amazing work that you and the team are up to in cybersecurity for healthcare. Thank you so much and excited to keep this one going.
Greg Garcia:
Me too! Great being with you, Saul. Thanks a lot.
Sonix has many features that you’d love including share transcripts, transcribe multiple languages, upload many different filetypes, automatic transcription software, and easily transcribe your Zoom meetings. Try Sonix for free today.
