1 00:00:00,130 --> 00:00:01,935 - Welcome to Becker Healthcare Podcast, made 2 00:00:01,935 --> 00:00:03,615 for the people who power US healthcare. 3 00:00:03,895 --> 00:00:05,295 I am Molly Gamble at Becker's. 4 00:00:05,305 --> 00:00:07,975 Today I'm delighted to spend time with Erin Wiseman, 5 00:00:07,985 --> 00:00:10,935 chief Information Security Officer with Mainline Health. 6 00:00:11,485 --> 00:00:13,095 Erin, welcome back to the podcast. 7 00:00:13,465 --> 00:00:16,175 Thank you for being our guest. Again, h how are you today? 8 00:00:16,195 --> 00:00:17,735 And where does the podcast find you? 9 00:00:19,455 --> 00:00:22,625 - Yeah, thank you for having me. I'm doing fantastic today. 10 00:00:22,625 --> 00:00:25,145 Thank you for asking. And I am in sunny Philadelphia. 11 00:00:27,515 --> 00:00:29,355 - Terrific. And Mainline has a presence there. 12 00:00:29,455 --> 00:00:33,115 For listeners, Erin, who could use a refresher again on 13 00:00:33,115 --> 00:00:36,075 Mainline Health, can you share a bit about the system just 14 00:00:36,075 --> 00:00:37,115 for the listeners who would like 15 00:00:37,115 --> 00:00:38,235 to get reacquainted with it? 16 00:00:40,305 --> 00:00:43,075 - Yeah. We're a community health system in the 17 00:00:43,075 --> 00:00:44,235 Philadelphia suburbs. 18 00:00:44,375 --> 00:00:46,275 We serve the Tri-state area. 19 00:00:47,045 --> 00:00:49,235 We're about five hospitals, a number 20 00:00:49,235 --> 00:00:50,475 of different ambulatory sites, 21 00:00:50,835 --> 00:00:52,075 clinical practices, et cetera. 22 00:00:52,915 --> 00:00:54,325 - Okay, great. Um, 23 00:00:54,385 --> 00:00:56,765 and Aaron, just guess up to speed on the year 24 00:00:56,785 --> 00:00:59,205 so far from you, where are you investing the bulk 25 00:00:59,205 --> 00:01:02,125 of your time and energy as of late in your work? 26 00:01:04,795 --> 00:01:06,885 - Yeah, so in information security, a lot 27 00:01:06,885 --> 00:01:10,125 of my time investment is in mitigating ransomware 28 00:01:10,345 --> 00:01:13,205 and the impact of the ransomware attacks, right? 29 00:01:13,385 --> 00:01:17,725 So all of the downstream cascading effects that we see 30 00:01:17,725 --> 00:01:18,885 as a result of ransomware. 31 00:01:19,105 --> 00:01:22,325 You know, being able to prepare for downtime, thinking about 32 00:01:22,345 --> 00:01:25,445 how we're handling third parties, what we're going to do 33 00:01:25,445 --> 00:01:27,245 for system availability, et cetera. 34 00:01:27,665 --> 00:01:30,045 Uh, really top of mind for me. 35 00:01:31,445 --> 00:01:33,545 - Uh, it's so far this year, I mean, 36 00:01:33,545 --> 00:01:35,185 we have really seen information security. 37 00:01:35,285 --> 00:01:37,905 It has just been escalating to the top 38 00:01:37,905 --> 00:01:40,145 of the fold in the national conversation 39 00:01:40,485 --> 00:01:43,905 and also especially in healthcare, uh, for the leaders 40 00:01:44,045 --> 00:01:47,505 who have been and remain really close to this work. 41 00:01:48,215 --> 00:01:49,385 What, what skill sets 42 00:01:49,445 --> 00:01:53,425 or traits are you seeing as having renewed value right now 43 00:01:53,565 --> 00:01:54,745 for, for the CISO role? 44 00:01:55,825 --> 00:01:56,825 I 45 00:01:57,005 --> 00:01:58,005 - Think there are a few. 46 00:01:58,385 --> 00:02:00,245 One is definitely strategic planning 47 00:02:00,345 --> 00:02:01,365 and, you know, being able 48 00:02:01,365 --> 00:02:06,005 to drive a successful security vision, we're not really able 49 00:02:06,005 --> 00:02:08,645 to actively mitigate threats so much as react 50 00:02:08,645 --> 00:02:09,725 to them very, very quickly. 51 00:02:09,865 --> 00:02:13,365 And I think some of the more successful CISOs are able to do 52 00:02:13,365 --> 00:02:15,125 that at scale, continually 53 00:02:15,265 --> 00:02:18,245 and keep their organization safe as long as they can. 54 00:02:18,635 --> 00:02:20,925 There's also this element to being able to plan for 55 00:02:20,925 --> 00:02:22,725 that downtime and figuring out, okay, 56 00:02:22,995 --> 00:02:24,925 once our organization's hit with ransomware, 57 00:02:25,025 --> 00:02:28,765 how do I make sure I promote my confidence, you know, 58 00:02:28,785 --> 00:02:30,405 in my ability to respond to 59 00:02:30,405 --> 00:02:31,645 that throughout the organization. 60 00:02:32,305 --> 00:02:34,685 And I think a lot of that's being driven by, uh, 61 00:02:34,685 --> 00:02:36,805 another competency, which is being able 62 00:02:36,805 --> 00:02:39,005 to drive collaboration across the organization 63 00:02:39,545 --> 00:02:43,005 and really being able to explain security concepts to 64 00:02:44,165 --> 00:02:45,925 relative lay people when it comes to technology, 65 00:02:46,505 --> 00:02:48,245 and really be able to convince people, okay, 66 00:02:48,245 --> 00:02:50,405 this is a patient safety and a patient dignity issue. 67 00:02:50,715 --> 00:02:53,405 It's not just a technology issue. Mm-Hmm, 68 00:02:53,445 --> 00:02:54,445 - . 69 00:02:54,445 --> 00:02:56,245 Mm-Hmm. . I mean, it's, 70 00:02:56,365 --> 00:02:57,605 I that makes a lot of sense. 71 00:02:57,675 --> 00:03:00,965 It's not the ability to only prevent you, 72 00:03:00,965 --> 00:03:03,125 you mentioned mitigation, but also reaction 73 00:03:03,185 --> 00:03:06,285 and reacting quickly and reporting on these attacks. 74 00:03:06,555 --> 00:03:07,885 It's, you know, it's interesting 75 00:03:07,885 --> 00:03:10,685 because understandably information can be slow 76 00:03:10,705 --> 00:03:12,405 to be released and for a good reason. 77 00:03:12,945 --> 00:03:15,285 But do you feel Aaron, like you have a good community 78 00:03:15,285 --> 00:03:19,285 and there's good guidance out there about if a ransomware 79 00:03:19,285 --> 00:03:22,245 were attack were to occur, how, how best to respond? 80 00:03:22,425 --> 00:03:25,525 Is there more community there among the health system 81 00:03:26,565 --> 00:03:29,495 players than there was maybe five years ago when this type 82 00:03:29,495 --> 00:03:31,495 of attack was still, you know, relatively novel? 83 00:03:33,865 --> 00:03:37,315 - Yeah, I think there's a lot more, what I 84 00:03:38,075 --> 00:03:40,395 consider shared therapy sessions around it, you know, 85 00:03:40,395 --> 00:03:41,675 where folks come together 86 00:03:42,135 --> 00:03:45,395 and talk about this horrible shared plight, right? 87 00:03:45,415 --> 00:03:47,555 You know, the, the threat of ransomware attack 88 00:03:48,055 --> 00:03:50,875 and how health systems are organizing around that. 89 00:03:51,335 --> 00:03:55,795 And then healthcare fortunately, has had through hipaa, uh, 90 00:03:55,955 --> 00:03:59,235 this longstanding obligation to report healthcare breaches, 91 00:03:59,415 --> 00:04:01,595 et cetera, uh, breaches of protected health information. 92 00:04:02,905 --> 00:04:07,415 Some health systems now have the added, uh, difficulty 93 00:04:07,555 --> 00:04:10,415 of responding to SEC regulations, right? 94 00:04:10,435 --> 00:04:12,575 And, and having to report under much 95 00:04:12,575 --> 00:04:13,895 tighter timelines for that. 96 00:04:14,435 --> 00:04:16,495 So I think it's becoming a lot more complex, 97 00:04:16,595 --> 00:04:19,095 but it's also driving a lot more collaboration within the 98 00:04:19,095 --> 00:04:22,655 healthcare industry and trying to figure out what other 99 00:04:23,775 --> 00:04:26,055 industry players are doing in order to keep abreast 100 00:04:26,055 --> 00:04:29,895 of those new regulations and new obligations. Mm-Hmm. 101 00:04:29,935 --> 00:04:32,295 - , that's the answer I was hoping for. 102 00:04:32,475 --> 00:04:34,695 You know, I understand competitive natures, 103 00:04:34,695 --> 00:04:36,135 but also if something like this occurs, 104 00:04:36,175 --> 00:04:37,695 I was hoping there would be some community 105 00:04:37,695 --> 00:04:39,015 and consensus around it 106 00:04:39,395 --> 00:04:41,535 and trying to, like, even if it's like you said in the form 107 00:04:41,535 --> 00:04:43,455 of therapy sessions, but, um, 108 00:04:43,585 --> 00:04:45,535 we've seen these ransomware attacks grow 109 00:04:45,955 --> 00:04:47,375 to affect larger institutions 110 00:04:47,375 --> 00:04:51,375 and even become more cruel, I would say, in nature with, 111 00:04:51,595 --> 00:04:53,015 you know, release of patient photos, 112 00:04:53,575 --> 00:04:55,935 children's hospital safety nets, demanding large sums 113 00:04:55,935 --> 00:04:58,495 of money in 48 hours from safety net hospitals. 114 00:04:58,955 --> 00:05:01,095 Uh, I'm just curious if you have any other thoughts to add, 115 00:05:01,095 --> 00:05:02,895 Aaron, about the, the nature of these 116 00:05:02,955 --> 00:05:04,655 and the characterization of these attacks, 117 00:05:04,715 --> 00:05:05,935 if there's anything that stood out to you. 118 00:05:08,675 --> 00:05:11,325 - Yeah, I I think they're incredibly profitable 119 00:05:11,325 --> 00:05:12,525 because of that brutalism. 120 00:05:12,745 --> 00:05:17,285 So health threat actors are out there, you know, 121 00:05:17,285 --> 00:05:18,285 attacking health systems 122 00:05:18,435 --> 00:05:20,485 because they wanna make money not 123 00:05:20,955 --> 00:05:22,605 necessarily for any other reason. 124 00:05:22,665 --> 00:05:26,885 And the way they maximize those payouts are by, you know, 125 00:05:26,885 --> 00:05:28,485 sort of the heinousness of what they're doing 126 00:05:28,665 --> 00:05:31,325 by locking down children's hospitals, by releasing photos 127 00:05:31,385 --> 00:05:32,765 of cancer patients. 128 00:05:32,765 --> 00:05:35,125 Those are some notable examples over the past few months. 129 00:05:35,665 --> 00:05:38,405 Um, you know, where, where really patient safety 130 00:05:38,425 --> 00:05:41,365 and patient dignity have been pretty critically impacted. 131 00:05:42,165 --> 00:05:44,645 I, I find your commentary about, uh, competition. 132 00:05:44,885 --> 00:05:46,285 Interesting. A lot of the conversations I've had 133 00:05:46,285 --> 00:05:47,285 with my peers have been, 134 00:05:47,785 --> 00:05:50,525 we don't compete on information security. 135 00:05:50,595 --> 00:05:53,645 There's a lot that of other stuff that we compete on. 136 00:05:53,835 --> 00:05:55,765 Information security supports that, 137 00:05:55,865 --> 00:05:57,645 but it's not a competitive 138 00:05:57,645 --> 00:05:58,925 distinction between health systems. 139 00:05:59,545 --> 00:06:01,045 So why would we treat it like that? 140 00:06:01,645 --> 00:06:04,565 I, I, I think that makes it information security a lot more 141 00:06:04,885 --> 00:06:08,085 collaborative than maybe other areas of hospital practice. 142 00:06:08,345 --> 00:06:10,525 Um, although I haven't really seen any of the, you know, 143 00:06:10,525 --> 00:06:11,685 sort of cut throat competition 144 00:06:11,685 --> 00:06:13,325 that you might associate with other industries. 145 00:06:14,345 --> 00:06:17,285 - Mm-Hmm. , - Well, a, as more 146 00:06:17,285 --> 00:06:18,525 and more information continues 147 00:06:18,525 --> 00:06:20,565 to come at us about information security 148 00:06:20,665 --> 00:06:23,005 and threats related to it, Aaron, 149 00:06:23,105 --> 00:06:24,845 can you pinpoint one lesson or, 150 00:06:24,905 --> 00:06:29,125 or one bigger takeaway we should take from 2020 four's 151 00:06:29,125 --> 00:06:32,005 events so far related to information security in healthcare? 152 00:06:32,625 --> 00:06:34,285 Can you kind of boil the ocean for us? 153 00:06:34,705 --> 00:06:37,125 What's one big lesson we should keep in mind here? 154 00:06:39,865 --> 00:06:41,995 - Diversify monolithic vendors, 155 00:06:42,415 --> 00:06:45,395 and I think we keep seeing that lesson repeated over 156 00:06:45,395 --> 00:06:48,515 and over again, 20 22, 20 23, 20 24, 157 00:06:48,885 --> 00:06:52,795 where these large service providers that handle, uh, 158 00:06:53,055 --> 00:06:57,075 you know, either visibility or, uh, office and email 159 00:06:57,415 --> 00:07:00,595 or even claims processing for a large number of systems 160 00:07:01,185 --> 00:07:03,755 when they're impacted very negatively, 161 00:07:04,505 --> 00:07:07,075 that has cascading downstream impacts 162 00:07:07,075 --> 00:07:08,315 that are very significant. 163 00:07:08,415 --> 00:07:09,995 And if you put all your eggs in one basket 164 00:07:10,415 --> 00:07:13,875 and you're relying on one service provider to 165 00:07:15,235 --> 00:07:18,325 effectively manage all that downstream work, that 166 00:07:18,395 --> 00:07:20,285 that is going to lead to problems. 167 00:07:20,865 --> 00:07:23,605 So, you know, I think there's a lot of inefficiency 168 00:07:23,605 --> 00:07:26,565 that's introduced by trying to diversify in specific areas. 169 00:07:26,865 --> 00:07:29,125 And, you know, certainly it takes a lot more work to manage, 170 00:07:29,665 --> 00:07:31,845 but at the same time, you know, even this year, 171 00:07:31,885 --> 00:07:35,125 as we're seeing in the claims processing space, um, very, 172 00:07:35,125 --> 00:07:36,965 very difficult to continue operations 173 00:07:37,025 --> 00:07:40,445 and continue to be profitable as an organization if, 174 00:07:40,865 --> 00:07:42,565 you know, all your eggs are in one basket 175 00:07:42,665 --> 00:07:44,365 and that basket's destroyed, right? 176 00:07:44,825 --> 00:07:45,885 - Mm-Hmm. . Mm-Hmm. , 177 00:07:47,065 --> 00:07:48,345 - I mean, the way you said that, 178 00:07:48,535 --> 00:07:50,905 diversify monolithic vendors, it sounds like 179 00:07:50,905 --> 00:07:53,265 that's been something top of mind for you. 180 00:07:53,765 --> 00:07:55,145 Uh, I, I'm curious 181 00:07:55,145 --> 00:07:56,465 because there's, seems like 182 00:07:56,465 --> 00:07:57,705 there's two sides of the coin there. 183 00:07:57,705 --> 00:07:59,865 You, you hear from some in the data 184 00:08:00,085 --> 00:08:03,945 and IT world, they'll talk about moving to one platform 185 00:08:04,085 --> 00:08:08,625 or one system and avoiding fragmentation as if it's a, 186 00:08:08,705 --> 00:08:10,305 a the only good thing. 187 00:08:10,325 --> 00:08:12,145 But I think as you just pointed out, Erin, there are a lot 188 00:08:12,145 --> 00:08:13,345 of risks with that too, right? 189 00:08:13,885 --> 00:08:16,465 Um, so I think sometimes the way it's discussed, it's like 190 00:08:16,465 --> 00:08:19,385 that seamlessness is upheld as the universal good, 191 00:08:19,845 --> 00:08:21,345 but as you just helped us remember 192 00:08:21,345 --> 00:08:23,545 and understand that there's a lot of risks that can come 193 00:08:23,545 --> 00:08:26,585 with that if there's frailties with, with that one system 194 00:08:26,585 --> 00:08:27,665 or that one basket. 195 00:08:29,905 --> 00:08:32,075 - Well, and it's ultimately a risk management activity 196 00:08:32,135 --> 00:08:35,075 and how much risk the organization wants to undertake. 197 00:08:35,655 --> 00:08:37,275 Um, I, I think there are a lot 198 00:08:37,275 --> 00:08:40,555 of benefits in minimizing the number of vendors you have. 199 00:08:41,135 --> 00:08:44,675 But you know, then again, the, the risk that any one 200 00:08:44,675 --> 00:08:45,875 of those vendors poses 201 00:08:45,875 --> 00:08:48,395 to your organization becomes much more significant. 202 00:08:49,135 --> 00:08:52,755 And, you know, I mean, even tech giants like Microsoft 203 00:08:52,935 --> 00:08:56,285 and Google and SolarWinds, for example, you know, 204 00:08:56,505 --> 00:08:59,445 can be impacted and have been impacted by cyber attacks. 205 00:08:59,585 --> 00:09:02,805 And it's, it's really difficult to sort of say, okay, 206 00:09:02,985 --> 00:09:04,845 you know, we as an organization are gonna be able 207 00:09:04,845 --> 00:09:09,045 to continue our operations when these large monolithic 208 00:09:09,045 --> 00:09:13,165 organizations that spend, um, in, in incredible amounts 209 00:09:13,165 --> 00:09:15,485 of money on cybersecurity are also impacted. 210 00:09:15,785 --> 00:09:18,565 So it, it, it, it's definitely something to think about 211 00:09:18,665 --> 00:09:20,645 and I think organizations need to take 212 00:09:20,645 --> 00:09:22,325 that into account when they think about their 213 00:09:22,325 --> 00:09:23,805 downstream third party risk. 214 00:09:24,375 --> 00:09:26,925 - Right. Right. Well, Aaron Weissman, 215 00:09:26,925 --> 00:09:28,205 chief Information Security Officer 216 00:09:28,205 --> 00:09:29,965 with Mainline Health, I wanna thank you again. 217 00:09:29,965 --> 00:09:32,085 This has been a, a really dynamic conversation. 218 00:09:32,485 --> 00:09:33,605 I appreciate your thoughts 219 00:09:33,605 --> 00:09:35,525 and expertise on this topic today. 220 00:09:36,105 --> 00:09:38,005 Any final thoughts or closing thoughts you 221 00:09:38,005 --> 00:09:39,085 wanna leave our listeners with? 222 00:09:41,825 --> 00:09:43,545 - I think my final thought would be, you know, 223 00:09:43,545 --> 00:09:46,025 cybersecurity is a collaborative effort, both within 224 00:09:46,045 --> 00:09:48,305 and without, you know, cyber threat. 225 00:09:48,305 --> 00:09:52,105 Actors are working with each other to figure out how 226 00:09:52,105 --> 00:09:54,185 to maximize the impact of their cyber crimes. 227 00:09:55,325 --> 00:09:57,825 We as security practitioners need to be thinking 228 00:09:57,925 --> 00:09:59,785 how we can work within our organizations 229 00:09:59,805 --> 00:10:01,505 to develop cybersecurity strategy 230 00:10:02,045 --> 00:10:03,985 and also across industries to figure out 231 00:10:03,985 --> 00:10:06,145 how we can collectively defend against these attacks. 232 00:10:07,255 --> 00:10:08,955 - Mm-Hmm. , Aaron, 233 00:10:09,035 --> 00:10:11,395 I wanna wish you continued success and luck in your work. 234 00:10:11,715 --> 00:10:12,955 I think you hit so many great points, 235 00:10:13,055 --> 00:10:15,595 and I'm gonna keep in mind the things you said about the 236 00:10:15,705 --> 00:10:19,315 CISO role, just so much emphasis on strategic planning, how 237 00:10:19,855 --> 00:10:21,515 one and one's team reacts, 238 00:10:21,575 --> 00:10:24,035 and then keeping that collaboration alive and well. 239 00:10:24,455 --> 00:10:27,235 Um, so Aaron Weissman, chiefs information Security officer 240 00:10:27,235 --> 00:10:29,515 with Mainline Health, thank you for returning 241 00:10:29,515 --> 00:10:31,075 to the podcast, Aaron, and hope we can 242 00:10:31,075 --> 00:10:32,195 catch up again with you soon. 243 00:10:33,585 --> 00:10:35,505 - Likewise. And thank you so much for having me.