Outcomes Rocket _ Kirsten Nunez & LisaBisterfeldt: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Saul Marquez:
Hey everybody! Saul Marquez with the Outcomes Rocket and I want to welcome you back to this amazing series we’re doing on cybersecurity for October. Just an incredible opportunity to level up what you are doing in the realm of cybersecurity. The average cost of cybersecurity incidents for healthcare organizations is 7 million dollars. There’s no reason why you shouldn’t be taking action on the things that you hear today, because I have two amazing guests and I’m going to introduce them to you. First, I want to introduce Kirsten Nunez. She is currently the senior operations manager for Emergency Management and Continuity at Intermountain Healthcare, which encompasses the entire spectrum of care extending into Idaho, Utah, and Nevada. With two decades of experience in healthcare operations. She joined Intermountain Healthcare’s Emergency Management Team in 2017 and coordinates preparedness efforts across seven hospitals, including Intermountain healthcare’s Adult Level one trauma center. I also have Lisa Bisterfeldt on the podcast, she manages Cyber Resilience for St Luke’s Health System in Boise, Idaho. St Luke’s is a nonprofit health system comprised of nine hospitals and 200 clinics providing care to communities across southwest Idaho. The Cyber Resiliency program includes components of incidents response, business continuity, and disaster recovery. Prior to transitioning into the cybersecurity arena, Lisa spent eight years working in emergency management in the healthcare and government sector, while Lisa and Kirsten led a strike force to develop the Operational Continuity Cyber Incident checklist, also known as OCCI, O C C I, to support the Incident Response Business Continuity Task Force under the healthcare and Public Health Sector Coordinating Council Cybersecurity Working Group, which we’re doing this in partnership with. They both continue to support the work of the larger task force and developing other toolkits to support emergency response and business continuity that could affect all of our businesses and organizations. So with that, I want to, I want to give both Lisa and Kirsten a warm welcome to the podcast, welcome!
Lisa Bisterfeldt:
Thank you so much, Saul. Really looking forward to the conversation today and being able to share really the great work that Kirsten and me are able to lead.
Saul Marquez:
We’re excited to have you guys here. Now before we dive into OCCI and what exactly is it and how can it help folks listening, talk to us a little bit about yourself. What got you into cybersecurity and emergency response?
Kirsten Nunez:
Saul, I am more than happy to talk about my journey and, and share briefly about myself. As mentioned in the bio earlier, I began working at the front lines in healthcare at the bedside and really found a passion for that. As I grew though and continued my education, I realized quickly that I also had a passion for leading change and began working for a director over intensive medicine and clinical programs at Intermountain Healthcare, who supported the Salt Lake Valley hospitals, as well as those on the Wasatch Back. So if you’re familiar with Heber or Park City areas and traveling there, while working for her, her portfolio included intensive care unit directors and emergency departments on a broad scale. And interestingly enough, emergency management in the organization reported there, which is unique in that emergency management had a really strong clinical focus versus potentially being reporting up under the IT NIS Sector, but certainly a strong link and connection to our IT NIS partners, and I think that’s where, Saul, my journey into emergency management started. She tapped me on the shoulder and said, hey, you might want to make a difference here. And I really fell in love with continuity of operations, with business continuity and truly making a difference in, when things go bad on their worst day, how our patients, our caregivers, and our communities rely on us as critical infrastructure. So I don’t know that I have one, one moment in particular, Saul, but I’ve really enjoyed the journey in emergency preparedness and partnering with Lisa on this initiative to empower other healthcare systems or standalone rural hospitals to have a checklist and a tool kit that would enable them to successfully respond and to keep their patients safe.
Saul Marquez:
Thank you, Kirsten. Yeah, appreciate you sharing that. The work you guys do is super important. And Lisa, how about you?
Lisa Bisterfeldt:
So my background is in public health. I think, like Kirsten noted, a lot of people just get the luck of falling into emergency management, and I am definitely one of those. Just given my passion for public health, my focus has really always been on healthcare delivery and improving the health of my community and those that I serve. I was able to then carry this over by some of my emergency management work in the healthcare sector, really then looking to improve patient outcomes and patient delivery. A lot of times during an emergency or disaster, when we’re operating at a different, not within our normal realm. So I did do some emergency management work over the years, and then as we started to see the cybersecurity threat landscape intensify, from an emergency management perspective, we were seeing that when we did our risk assessment on an annual basis, the cybersecurity threats, threat was continuing to increase, which really intent to show that there was a need for St Luke’s to develop a resiliency program focused on not only mitigating cybersecurity risk but also improving our downtime processes to support those extended downtime events. So I transitioned into that role, leveraging not only my passion for public health and patient outcomes but being able to also utilize the amazing skill set that I learned in the emergency management realm, now bringing that to the cybersecurity arena and resiliency and continuity for the St. Luke’s Health system.
Saul Marquez:
Lovely, thank you so much for that, Kirsten, and having a plan in place to be able to deal with these these these cyber threats is critical, and so I’m really excited to dig in. Talk to us a little bit about OCCI. That’s O C C I, it’s a publication. How should health providers prepare themselves for what seems like an inevitable attack? And maybe what we’ll do is, Lisa, why don’t you kick us off and then Kirsten, would love to hear your thoughts on it as well.
Lisa Bisterfeldt:
Cybersecurity events are a little bit unique, in, when comparing them to other typical disasters that can happen within the healthcare arena, however, really responding to them, we can leverage the same standardized tools that we do within the health system for other emergency events. So the thought behind building this checklist was really to help bridge the gap between IT or IS in cybersecurity and health system operations and clinicians. When we sought out to do this, our overall goal was to help limit the impact of a cybersecurity incident on a hospital or a health system by creating tools and information that could be leveraged easily during an incident whether you are a small, rural, critical access hospital all the way up to a large health system. We really achieved this by having a really great workgroup that had a lot of different disciplines on it, brought a lot of different perspectives, and utilizing that, we were able to develop a checklist that encompasses the critical tasks that need to be completed during the first 12 to 24 hours of a cybersecurity event. By having that checklist available for leadership within the hospital or health system, it really helps take some of the guesswork out and allows those facilities to be able to start responding immediately and really prioritize their actions so that they are not only streamlining the response but also focusing on those high priority items at the beginning of the incident. In doing this, we also partnered with our emergency management colleagues to ensure that we were developing a tool that is in alignment with the Hospital Incident Command System and a hospital incident command system, or HICS, is something that our hospitals and health systems are familiar using. So it was really critical for us to be able to bridge the IS and the IT and the cybersecurity arena with the health system on something that was already standardized for incident response. Kirsten has a wealth of knowledge with emergency management, so I would hand over to her to talk just a little bit more about the structure and really how we put it together to help not only inform but also guide the health systems through this type of incident.
Kirsten Nunez:
I love that, Lisa. As Lisa mentioned, we wanted to remain aligned with national standards and best practices in emergency management and continuity, specifically, with the incident command structure. Our partners, so that we, that Lisa mentioned, in emergency management as we visited with them, the incident response guide that currently exists really makes the assumption that health systems or care sites already have plans in place that are ready to be activated and mobilized. And it’s been our experience that these technical cyber plans may not be as mature as we would hope, or teams may not have had time to build those yet while focused on other clinically driven disasters or crises. And so this plan, as Lisa said, to borrow her language, it takes the guesswork out of that, it takes the feeling of fear and the unknown and helps place it in a meaningful, valuable checklist that can be rapidly mobilized in the moment to really support that 0 to 12-hour response window, which is very critical in these types of incidents. We start the document by really looking at definitions or criteria, and I probably should back myself up just a moment to say the intent of this checklist is that it’s scalable and modifiable, just like incident command principles. So if a site doesn’t have the capability or the capacity, they certainly could modify this way that meets their own needs. From there, what we’re really excited about is the document allowing it, that the document can be pulled in a grab-and-go checklist format. So you have an incident commander, you have a medical technical specialist, a PIO or public information officer, a liaison, safety, operations, planning section, finance section, and logistics section chiefs that really can respond in a way that feels natural, normal, albeit you’re in an abnormal situation. We also have added in alignment with the FEMA documentation, an intelligence section chief role, and provided the guidance in the document that an organization ought to consider or contemplate how to navigate the medical technical specialist section with an IT or intelligence section chief. That way, the IT experts and the cyber experts, if they’re present in that organization can run their playbooks, run their response, really eradicate the threat, identify it, eradicate it, and then restore to normal operations the technical applications that are needed by all caregivers across a care site or a health system. We have not dictated how that should be implemented and instead have really taken the approach that it should be a template that can be used and leveraged in that moment. I think it’s especially important to call out in the document, thanks to our IT experts and cybersecurity experts like Lisa, that we wanted to establish a unified command structure or a scalable command structure within that. There are sites that their IT teams use a command structure in and of themselves. And so if your cyber or your IT teams are activating incident command, establish a unified command team with your operational leaders and your physician and nursing leadership teams. We all know that we are increasingly reliant in the clinical care setting on durable medical equipment, pharmaceuticals, on HTM or health technology management systems, and so we need a way to ensure that we can still do that when the lights go out.
Saul Marquez:
Well, this is fantastic, Kirsten and Lisa, and folks, for everybody listening today, make sure you check out the show notes of today’s podcast. You’ll find a link to this checklist that we’re covering today, the OCCI checklist, HealthSectorCouncil.org/OCCI. You don’t need to remember that, just open the podcast notes and check it out. But it is just an extremely thorough checklist to help you guys think about how to deal with these cyber incidents, and like Kirsten and Lisa mentioned, it’s really modifiable. So if you feel like there’s some things that you can’t do on the document, then do the things that you can, but ultimately be prepared. Kirsten and Lisa, how do you guys propose this be used? Because as I was looking at the document, I’m thinking, wow, like an organization could take a look at this and start thinking about who will play some of these roles, like finance section chief and logistics section chief.
Lisa Bisterfeldt:
Absolutely Saul, and I think that’s what we’re looking to organizations to do. We’ve really created a document, like Kirsten said, that can be edited, it can be modified, but really the power of that document is the work that you put in before an incident. That’s not to say if you have an incident that you can pull it, right? Checklists are amazing. We use them in our day-to-day. So the thought behind putting it together in a checklist format was in case we needed to pull that, it’s there for you. However, if you are able to review it with your emergency management team, with your hospital leadership, with your cyber or IT leaders prior to an incident, there will be a larger return on investment in utilizing our tool. You’re exactly right, and being able to not only walk through those actions, but also identify who would take point on that, who would be a good incident commander or a good person that’s leading your incident response through this process. Additionally, who would you look to help guide clinical operations from a medical technical specialist, or who would you want handling your logistics during this situation? It’s also a good practice to have a few backups because people aren’t always available. So you’re exactly right in identifying before an incident occurs. Who would fill these roles? Additionally, you know, going through the checklist to modify it so it makes sense for your organization. We all know that different organizations have different titles, or they might refer to things differently, and so that was the thought of making this an editable document, is it allows those organizations to use this as a starting spot and really make it fit their organization as well.
Saul Marquez:
Love it, thank you so much, Lisa. That is fantastic. Have you, if you’re listening to this, have you a plan in place to deal with an attack after it happens? If not, what an incredible resource. It’s available, it’s free, it’s downloadable, it’s editable. Take action, this is where it all happens. Who’s in charge of managing restoration?
Lisa Bisterfeldt:
I think that’s, definitely, when we focus on the checklist. It’s definitely something that is the initial response that needs to take place. But the reality is that’s only going to get you through the first 12 to 24 hours. So really when we’re looking at OCCI, it’s a great initial guide, but I guess the call to action would be for all of those health systems out there that are listening to this, you know, start planning ahead. You know, what we’re seeing is that the impact of these cybersecurity incidents can be much larger than anticipated. You know, healthcare as a whole is extremely vulnerable to cyber incidents because we are so dependent on the electronic medical record or we’re so dependent on our technology. And all of our devices are streamlined through technology, our scheduling is done virtually now, so there’s just so many different things that we rely on that technology to do, and when we have to work without it, things can get a little cumbersome, they can be challenging. So really thinking ahead to what are the plans going to be not only to respond but also to restore that? You know, there’s a lot of different ways you can do it, and I think that’s really the beauty of kind of the continuation of this checklist throughout the response. As Kirsten mentioned, we do have a spot for an incident commander, and per hospital incident command protocols that individual runs your entire incident, and really, they have the overall guidance and they are leading all of the incident objectives and activities. However, we’ve built the checklist really under the fundamental of assigning roles and responsibilities and leveraging collaboration amongst those roles to guide incident response and recovery. So really any cybersecurity response is a multidisciplinary event by nature. And really the checklist provides an opportunity for collaboration and discussion amongst those that really helps to inform the incident commander on the best decisions, whether that’s initially responding or starting the restoration process.
Saul Marquez:
That’s fantastic. Thank you, Lisa. And you’re right, it’s a multidisciplinary approach. There are so many things that need to be thought about and so many areas of the facility and the operations that need to be considered. And one of those, we’re in healthcare, it’s patient safety. So how do we keep patients safe if the proverbial lights go out?
Kirsten Nunez:
Such a good question, Saul, And I think Lisa touched on that as she mentioned, multidisciplinary internal-external response needs and that restoration is typically associated with the restoring of the technical piece. And yet how do you restore operations and processes that were where workarounds have been implemented or downtime processes have been activated? When talking patient safety, we need to understand do teams have downtime plans? Do they have redundancy built in? Do we have off-network solutions to still provide the highest level of care and/or the right care in the right place at the right time? When the lights go out, we will still have people showing up in emergency departments needing care. We will still have folks already in the hospital or needing clinic care, having children or loved ones, family members needing our services. So patient safety, keeping that at the forefront in all of the planning efforts, as Lisa mentioned, the mitigation and the preparedness factors cannot be overstated in their importance. And in the middle of response, frequent rounding by your incident command team, having processes for rapid escalation of barriers to patient safety are absolutely essential. The checklist does not tell you how to do that and instead relies on knowing that you should have or that you need to, walking away from today’s call, hopefully, get with your teams and understand how are you providing communication, interoperability. How are you escalating safety concerns and where are the gaps in your current downtime processes? In paper charting, many of our caregivers in the nursing world or in the physician world, their training is on documentation in an electronic medical record or an electronic health record. How often are we practicing paper charting and things like that? Lisa, I’d love to add your thoughts into the mix on patient safety when the lights go out, it’s absolutely criticalm ut’s why we exist.
Kirsten Nunez:
Yeah, I agree, Kirsten, and I think to piggyback up on the amazing comments that you’ve already stated, another thing that we’re looking at is healthcare as a whole we don’t experience downtime very often, and when we do, it tends to be short. We’ll have a quarterly upgrade or we’ll have a planned downtime. However, those tend to be 4 hours or less, and a lot of times it’s just the loss of the electronic medical record or it’s just a telephone outage or just a nurse call outage. And the reality is when we look at these cybersecurity events, the potential is that you could lose your entire health network, including telephones and electronic medical record, all of your essential applications that you utilize at once. So the idea of kind of the hospital going black is something that we don’t think of every day. Additionally, planning not only for the loss of all of your essential technology, but the loss of that for an extended downtime is really what we need to be thinking about. We would love it in cybersecurity if we could restore everything in 4 hours following a cybersecurity attack, but unfortunately, that just isn’t the reality. And we’re seeing across the country with healthcare systems and hospitals that are experiencing this, that they are having multiple days to week outages. So taking a look at your current downtime processes and being able to ask yourself, like Kirsten said, what are the gaps? But also how sustainable is this? Is this something that we would be able to do in, for multiple days or multiple weeks, and what adjustments need to be made there? One key point that we’re looking at is we aren’t used to paper, and additionally, when we look at kind of downtime documentation, there’s so much paper. So how can we consolidate those downtime forms? How can we consolidate patient charting to help make it a more user-friendly experience for our bedside clinicians when they’re doing charting? So asking yourself those questions and bringing the bedside clinicians in to help provide perspective and making sure that you’re building tools that will help meet that need should you ever experience an extended outage like this.
Saul Marquez:
Now, some fantastic guidelines there. Appreciate you both. This topic of patient safety is critical. And you’re right, I mean, all of the health system is, does become so dependent on a lot of these systems that are electronic and could get frozen or the lights go out. So it’s good to have a plan in place. And so as something like this happens, what’s the order of priority in restoring services and where do we go from here now that this work is done? Kirsten, maybe you want to kick us off there.
Kirsten Nunez:
Sure, such a great question, Saul. As we look at priority for restoration of services and processes, one of the key initiatives that really needs to be implemented across the healthcare sector is a business impact analysis that marries well with hazard vulnerability assessments and community-based … to be able to understand what are the processes that are universally needed in your care site or your hospital. Is it imaging services? Is it phone services in order to be able to carry out the process of clinical care? When you look at patient flow as a whole from entry into discharge, where are those key points or interconnected points? Is it your transfer center, is it lab pharmacy imaging? There are many and no one would say that no, that a particular process or department is less important or less valuable than another, and yet we do need to prioritize the work. As Lisa said, it would be lovely and wonderful if IT teams could restore everything in 4 hours and that’s certainly not feasible given how tech solutions are architected or are created, and designed, and engineered. So I strongly encourage a business impact analysis that truly looks at all four components of continuity, whether that’s an infrastructure disruption, a staff disruption, a supply chain disruption, or in today’s discussion, a technology disruption. And when looking at the impacts, it’s not just looking at the applications themselves, but at the processes that are the bedrock that rely on those applications. And once that mapping is done, it’s incredibly complex. It is a time-consuming endeavor and it is so incredibly valuable. I think, to the pandemic and how so many of us health systems decided that delaying elective surgeries was the right decision, and it was certainly the decision we made and was the right decision based on the intelligence and the data that we had at the time, but so many health systems are now recovering from that decision. And so you have reputational impact, financial impact, you have patient safety as our number one priority. How do you then overlay that together to make the best decisions you can to rank your processes and your functions that then helps the IT teams know how to match recovery and restoration to those needs? Lisa, I’m certainly no technical expert, but happy to have you join me in thinking through this together. It’s an incredibly complex question.
Lisa Bisterfeldt:
Absolutely, and I completely agree. It’s so complex, it can be really challenging as well. Kirsten is exactly right. Starting this off by hearing from end users or bedside or clinicians to help understand what are those essential services that we provide every single day at our healthcare locations, whether it’s a clinic, a freestanding facility, or a health system. But then I think that this is a great opportunity and a great initiative to partner with your IT and cybersecurity services on. As I mentioned, everything we do now is dependent on some form of technology and there is value in doing an exercise to identify the sequencing for restoring that different technology. You know, additionally looking at the, just like a hospital has infrastructure and has a foundation and a frame, our technical systems also have an infrastructure layer. So being able to understand what are those infrastructure programs or applications that we need to bring up first before we start looking into what patient-centered or healthcare-facing applications are we bringing up, and being able to have communication and education across the board on that, because these things take a lot of time. So you want to be transparent and you want to understand that while we know that you need medical imaging services and you need the electronic medical record, some things may need to have to come first and that might take a few hours or a few days, and so being able to then have your downtime processes that support those extended outages while we’re recovering. Additionally, working with your clinical and IT partners to understand workflow operations and how you leverage those different technical applications. I know within my hospital system we have integrated so many things and so many different processes are integrated through our electronic medical record. Our imaging services are integrated, our medication management, and our, and how we deliver medication is integrated into the electronic medical record. So being able to understand what does workflow look like and if we just bring up the medical record, technology, is that really going to be helpful or is there value potentially in bringing up multiple applications kind of in a bundle as well? So to Kirsten’s point, I think just again, prefacing is really challenging, it can be really complex, but being able to have a really good partnership approach of understanding what are those essential services, and then marrying that with the important sequencing of bringing up the technology in a way that is as quick as possible, but also helps to support bringing the care delivery function back online in a way that makes sense for those bedside operators as well.
Saul Marquez:
Wow, yeah, thank you, Kirsten and Lisa. There’s just like, wow, so much to think about here. It’s stimulating, but also really helpful to hear some of the examples that both of you have shared from, what is your, have you done that business impact analysis, and do you understand the infrastructure and how the tech and everything sits and how it works, how it operates, and who is going to do what? These are all things that we need to be thinking about, and the good news is that you don’t have to memorize it all. Lisa, Kirsten, and team have put together an incredible resource, it’s the OCCI publication that we’ve been covering all of today. So make sure you check that out in the show notes of today’s podcast. Take advantage of that, don’t stop at just listening, take action today, and so with that, Lisa, Kirsten, I want to thank you both for your time today and for sharing this incredible resource. Talk to us and, each of you, what’s the best place that the listeners could learn more about you or follow your work?
Lisa Bisterfeldt:
Saul, such a great question. Following our work related to the Health Sector Council, we’ll be producing additional documents and additional toolkits that speak to the larger conversation that we’ve had today relative to planning, mitigation, preparedness, emergency management and continuity programs, disaster recovery, IT program, cybersecurity maturity, so a lot more coming out of the Health Sector Council and would direct folks back there for additional toolkits and guidance. As far as following me, if you’re interested, based on today’s conversation, I can be found on LinkedIn, Kirsten Nunez, and happy to connect and answer questions that anyone has or Kirsten.Nunez@imail.org if an email or direct contact is ideal. Lisa, how about for you?
Lisa Bisterfeldt:
Yeah, I would echo that. This is just the tip of the iceberg. We’re really excited about other products that we are putting together as part of the workgroup with the Healthcare Coordinating Council and look forward to pushing those out in the next year. So really recommend going back and checking that website. Additionally, like Kirsten, you can find me on LinkedIn, at least Lisa Bisterfeldt on LinkedIn and would look forward to connecting or collaborating, answering any questions, but also hearing what you’re doing at your organization and what’s working well, if you would like to connect.
Saul Marquez:
I love it. Lisa, Kirsten, thank you both, and listeners, as I’ve mentioned in the previous episodes, we post all of these on our podcast channels, that’s where you’re listening to us right now, but we also post them on LinkedIn. And as part of Cybersecurity Awareness Month, we’re encouraging everybody that listens and that the topics we cover resonate with, that you chime in on the discussion and LinkedIn. We post all of these episodes on our LinkedIn channel, so if something that Kirsten and Lisa discovered or shared with us today made a difference for you, or if you’re going to decide to do something about it, we encourage you to join the conversation on these posts that we’re going to do on LinkedIn, along with the awareness program. So Lisa, Kirsten, thank you both so much again for being with us.
Lisa Bisterfeldt:
Thank you Saul, and thanks for the opportunity today.
Kirsten Nunez:
Thank you, Saul, I very much enjoyed the conversation and look forward to learning from others in the industry.
Sonix has many features that you’d love including enterprise-grade admin tools, world-class support, transcribe multiple languages, upload many different filetypes, and easily transcribe your Zoom meetings. Try Sonix for free today.
