1 00:00:00,060 --> 00:00:03,640 Would you like to exchange best practices and ideas to improve care, 2 00:00:03,790 --> 00:00:05,520 enhance operational efficiency, 3 00:00:05,580 --> 00:00:07,960 and address financial challenges with your peers? 4 00:00:08,600 --> 00:00:12,400 Becker's Healthcare is facilitating these conversations at their eighth annual 5 00:00:12,580 --> 00:00:15,240 health, it digital health and R C M meeting. 6 00:00:15,580 --> 00:00:19,560 You can check your eligibility for complimentary attendance at the link in the 7 00:00:19,560 --> 00:00:22,040 description. We are excited to welcome you in October. 8 00:00:22,630 --> 00:00:25,120 This is Laura Dedo with the Becker's Healthcare Podcast. 9 00:00:25,740 --> 00:00:28,120 I'm thrilled today to be joined by Ani Santiago, 10 00:00:28,290 --> 00:00:31,880 chief Information Security Officer at Christiana Care. Ani, 11 00:00:31,880 --> 00:00:34,280 it's a pleasure to have you on the podcast today. Thanks. 12 00:00:34,790 --> 00:00:35,623 For having me. 13 00:00:36,790 --> 00:00:38,450 Now, I know we've got a lot to talk about. 14 00:00:38,490 --> 00:00:42,210 There's so much happening within the healthcare space and information security 15 00:00:42,270 --> 00:00:44,290 in general, but before we dive into my questions, 16 00:00:44,310 --> 00:00:46,530 can you tell us a little bit more about yourself and your background? 17 00:00:48,530 --> 00:00:52,300 Sure. Uh, so I, um, I have, I, 18 00:00:52,440 --> 00:00:55,140 I'm the CISO at Christiana Care. Um, 19 00:00:55,350 --> 00:01:00,020 Christiana is the largest health system in Delaware, um, also serving, 20 00:01:01,000 --> 00:01:03,980 um, in New Jersey, Maryland, and Pennsylvania. 21 00:01:04,380 --> 00:01:08,260 I had been there for eight years, a little over eight years. 22 00:01:09,110 --> 00:01:09,943 Prior to that, 23 00:01:10,220 --> 00:01:14,380 I spent 10 and a half years at Einstein Healthcare Network in North Philadelphia 24 00:01:15,120 --> 00:01:19,860 as their information security and privacy officer. So, um, 25 00:01:19,860 --> 00:01:21,580 little over, well, 26 00:01:21,580 --> 00:01:26,540 almost 19 years of cybersecurity leadership, healthcare experience. 27 00:01:29,820 --> 00:01:31,230 Amazing. Yeah. Wow, 28 00:01:31,230 --> 00:01:34,590 that's a lot of time that you've spent in the healthcare industry and, you know, 29 00:01:34,590 --> 00:01:35,710 from your perspective, 30 00:01:36,040 --> 00:01:40,110 where do you see some of the big opportunities today in the headwinds that you 31 00:01:40,110 --> 00:01:40,943 have your eye on? 32 00:01:42,670 --> 00:01:45,130 Uh, so, so I think that, you know, there, 33 00:01:45,130 --> 00:01:49,530 there are a lot of opportunities to really transform the way that healthcare's 34 00:01:49,530 --> 00:01:52,690 delivered through technology. You know, over the years, 35 00:01:53,590 --> 00:01:56,730 the industry has adapted electronic medical records, 36 00:01:57,600 --> 00:02:01,930 medical devices, um, you know, after the pandemic, um, 37 00:02:01,930 --> 00:02:05,690 many were pushed into, uh, telehealth. Um, 38 00:02:05,690 --> 00:02:10,170 we're now looking at hospital at home initiatives and really, you know, 39 00:02:10,170 --> 00:02:13,330 pushing care out to where the patients really wanna consume it, 40 00:02:13,330 --> 00:02:16,210 which is closer to their home. And, 41 00:02:16,310 --> 00:02:20,650 and I think that the opportunities there are to be able to really accomplish 42 00:02:20,700 --> 00:02:25,290 these things through the, through innovative solutions and, 43 00:02:25,310 --> 00:02:30,170 and technological solutions. Um, in terms of the headwind, uh, 44 00:02:30,440 --> 00:02:32,530 certainly, uh, um, as, 45 00:02:32,990 --> 00:02:37,930 as the proliferation of technology takes place in the healthcare 46 00:02:38,250 --> 00:02:41,810 industry. So it does the expansion of the, uh, 47 00:02:41,810 --> 00:02:44,770 threat landscape because, you know, each of, 48 00:02:44,870 --> 00:02:49,650 of those components of technology carries cybersecurity risk with it. 49 00:02:50,110 --> 00:02:52,810 And, and so as cybersecurity professionals, I, 50 00:02:52,970 --> 00:02:57,130 I think where we're seeing the headwinds beyond just the traditional, 51 00:02:57,790 --> 00:03:02,580 uh, threats, um, across industries is really in, um, 52 00:03:02,630 --> 00:03:07,140 being able to secure devices, um, more, 53 00:03:07,140 --> 00:03:09,780 more and more devices as they, you know, 54 00:03:09,780 --> 00:03:12,460 as their usage and adoption increases in the industry. 55 00:03:14,380 --> 00:03:18,780 Absolutely. I can imagine it's, uh, a lot to take in, especially as the, 56 00:03:18,800 --> 00:03:22,660 as the information security officer to stay on top of all the different devices 57 00:03:22,690 --> 00:03:26,180 that are coming through for medical, especially reasons, um, in, 58 00:03:26,180 --> 00:03:29,660 in making sure that they're secure as well as the partnerships that you have 59 00:03:29,660 --> 00:03:34,420 with the companies, um, whether it's vendors or, uh, device companies. So, 60 00:03:34,560 --> 00:03:39,460 you know, as time time goes on and things evolve, how do you keep track of that? 61 00:03:39,460 --> 00:03:41,740 How do you really make sure that the, um, 62 00:03:41,740 --> 00:03:45,660 organizations you're working with and devices that you're using are as secure as 63 00:03:45,860 --> 00:03:46,693 possible? 64 00:03:47,910 --> 00:03:51,910 I mean, it, it, it, it takes a methodology. Um, and, 65 00:03:51,930 --> 00:03:55,990 and so for us and consistency, some good prophecies and for us, 66 00:03:57,170 --> 00:04:01,630 um, you know, no new technology or partnership that, 67 00:04:01,630 --> 00:04:06,070 that our organization wants to adopt, um, all all of that technology, 68 00:04:06,190 --> 00:04:10,070 I should say, goes through our security risk assessment process. 69 00:04:10,450 --> 00:04:13,870 And so before we even engage in contracting, 70 00:04:14,290 --> 00:04:18,750 the expectation is that our team is reaching out to the vendors, 71 00:04:19,490 --> 00:04:24,270 um, assessing their security programs, uh, developing, 72 00:04:24,930 --> 00:04:28,150 um, you know, documentation and, uh, 73 00:04:28,590 --> 00:04:31,870 identification of risks that are then, um, 74 00:04:33,060 --> 00:04:35,110 they're shared with me. Um, 75 00:04:35,130 --> 00:04:39,630 and then I engage with the clinical leaders and business leaders and dialogue 76 00:04:40,050 --> 00:04:44,230 around risk treatment options, risk management capabilities. 77 00:04:44,970 --> 00:04:49,790 And once we agree on the overall risk management for any particular technology, 78 00:04:50,610 --> 00:04:55,110 uh, then we move to contracting at which time we, um, 79 00:04:55,410 --> 00:04:59,870 add a set of security contractual requirements that the vendors have to 80 00:05:00,290 --> 00:05:04,150 adhere to. Um, and, and then we get agreement on, 81 00:05:04,250 --> 00:05:07,510 on how they're going to employ security before we, you know, 82 00:05:07,610 --> 00:05:10,870 before we execute the contracts and then deploy the technology. 83 00:05:11,130 --> 00:05:16,110 So it's a rigorous process that that enables us to really, um, 84 00:05:16,550 --> 00:05:17,790 identify, uh, 85 00:05:17,790 --> 00:05:21,910 where we're introducing potential risk into the organization and how we're going 86 00:05:21,910 --> 00:05:25,110 to manage those risks. Uh, and then, you know, from a, 87 00:05:25,420 --> 00:05:27,070 from a team perspective, 88 00:05:27,170 --> 00:05:31,710 our team has technology that we leverage, um, 89 00:05:31,810 --> 00:05:36,510 to document all of this work and to manage the risks that we 90 00:05:36,710 --> 00:05:41,190 ultimately agree, uh, agree on. So it's, you know, it's, 91 00:05:41,190 --> 00:05:44,510 it's a life cycle. Um, it's incredibly time consuming, 92 00:05:44,530 --> 00:05:49,070 but it really does add value to the overall conversation and to the healthcare 93 00:05:49,310 --> 00:05:50,143 delivery system. 94 00:05:51,280 --> 00:05:52,420 That's such a great point. 95 00:05:52,470 --> 00:05:55,860 Thank you so much for going through that and really breaking down the process. 96 00:05:56,800 --> 00:06:01,660 Now, given what we've been talking about on the information security side, 97 00:06:01,960 --> 00:06:05,300 how do you think about growth and adding value to the organization? 98 00:06:05,500 --> 00:06:08,300 I know that cybersecurity is so important, 99 00:06:08,300 --> 00:06:13,260 information security is so important and changing on a daily basis. Um, 100 00:06:13,320 --> 00:06:17,140 so from your perspective, what are you doing kind of constantly, 101 00:06:17,140 --> 00:06:19,540 consistently to make sure that, you know, the, 102 00:06:19,720 --> 00:06:22,100 the skills you bring to the table and, um, 103 00:06:22,160 --> 00:06:26,660 the investments in health it are really adding value to the overall health 104 00:06:26,660 --> 00:06:27,493 system? 105 00:06:28,810 --> 00:06:32,370 I think that's a great question. I, I would say it, 106 00:06:32,390 --> 00:06:37,250 it starts with really having a strong partnership with the 107 00:06:38,010 --> 00:06:42,770 clinical and business leaders and really aligning the information security 108 00:06:42,770 --> 00:06:45,930 program with the overall organizational strategies. 109 00:06:46,190 --> 00:06:50,470 So it starts with dialoguing with our stakeholders, 110 00:06:50,470 --> 00:06:54,670 understanding, you know, what, what, what are the areas where the, 111 00:06:54,670 --> 00:06:59,630 where the organization wants to grow, how, what are the strategies for, for, 112 00:06:59,810 --> 00:07:00,710 for that growths? 113 00:07:00,970 --> 00:07:05,870 And then building an information security program that facilitates those, 114 00:07:06,320 --> 00:07:08,310 those initiatives. So, um, 115 00:07:08,320 --> 00:07:13,310 think about it less about building a security program 116 00:07:13,690 --> 00:07:14,523 in a silo, 117 00:07:14,770 --> 00:07:19,030 but more wrapping that security program around the overall 118 00:07:19,130 --> 00:07:23,470 organizational strategy. And in that way, you know, our, 119 00:07:24,010 --> 00:07:24,770 um, 120 00:07:24,770 --> 00:07:29,390 our vision mission can be carried out with a 121 00:07:29,790 --> 00:07:34,230 frictionless model that doesn't have security sort of getting in the way, 122 00:07:34,730 --> 00:07:38,670 but actually carrying the overall organizational strategy. 123 00:07:40,370 --> 00:07:42,410 I love that. I think that makes so much sense, you know, 124 00:07:42,410 --> 00:07:45,290 and really is very intuitive when you're trying to, um, 125 00:07:45,290 --> 00:07:49,210 that make sure that you're able to serve patients while you're able to keep 126 00:07:49,210 --> 00:07:51,610 their information safe. You're able to, uh, 127 00:07:51,810 --> 00:07:55,490 continue operationally running effectively without some of the challenges that 128 00:07:55,490 --> 00:07:59,690 come, um, with a cybersecurity incident. So I, 129 00:07:59,770 --> 00:08:02,570 I love that kind of way of looking at cybersecurity and, 130 00:08:02,590 --> 00:08:06,610 and I information security as well. Um, you know, I, 131 00:08:06,650 --> 00:08:10,610 I know in healthcare right now, cybersecurity obviously is very important and, 132 00:08:10,790 --> 00:08:11,130 you know, 133 00:08:11,130 --> 00:08:15,170 a lot of organizations would love to put a lot of resources towards that. Um, 134 00:08:15,170 --> 00:08:17,650 you know, there's never too much security that you can have, 135 00:08:17,830 --> 00:08:21,970 but right now a lot of hospitals and health systems too are experiencing a 136 00:08:22,170 --> 00:08:23,610 challenging financial year, uh, 137 00:08:24,370 --> 00:08:29,090 staffing shortages and inflation continues to make the budgets, you know, 138 00:08:29,450 --> 00:08:31,810 challenging for right now. So from your perspective, 139 00:08:31,810 --> 00:08:36,290 where do you see as it still being important to make investments within, uh, 140 00:08:36,290 --> 00:08:39,010 cybersecurity con security and information security? 141 00:08:39,280 --> 00:08:42,290 What is really important if you've got a limited resource pool. 142 00:08:44,050 --> 00:08:48,830 You know, making sure that you're prioritizing the basics. 143 00:08:49,020 --> 00:08:51,150 Cybersecurity can be very expensive, 144 00:08:51,450 --> 00:08:55,820 but basic cyber hygiene is something that doesn't cost a lot of money. 145 00:08:56,120 --> 00:09:00,700 And so I'm, I'm speaking in terms of vulnerability management, 146 00:09:01,480 --> 00:09:03,940 uh, patch management, uh, 147 00:09:04,000 --> 00:09:08,980 really having strong security operations, having, you know, 148 00:09:09,180 --> 00:09:12,260 building a efficiency into your processes, 149 00:09:12,920 --> 00:09:17,090 all of that actually can save money. Um, 150 00:09:17,270 --> 00:09:19,530 in terms of, you know, the, 151 00:09:19,550 --> 00:09:24,370 the limited budgets that I think we're all seeing across the industry, uh, 152 00:09:24,370 --> 00:09:28,810 just underline the importance of really finding a balance between, uh, 153 00:09:29,360 --> 00:09:33,890 care delivery, uh, and patient safety and cybersecurity. 154 00:09:34,230 --> 00:09:37,610 And, and so everything, everything we do is about risk management. 155 00:09:38,040 --> 00:09:40,890 It's about looking at the risk to the organization, 156 00:09:41,650 --> 00:09:46,490 prioritizing where we want to focus our, our, you know, our budget and, 157 00:09:46,630 --> 00:09:51,370 and our resources. And then ensuring that we're, you know, 158 00:09:51,370 --> 00:09:54,330 constantly putting our best foot forward. Uh, that, 159 00:09:54,330 --> 00:09:56,530 that doesn't change with constrained budgets. 160 00:09:56,530 --> 00:10:01,330 So it's still really looking at where does the organization wanna move, um, 161 00:10:01,330 --> 00:10:04,170 care delivery, and then what are the steps and, 162 00:10:04,190 --> 00:10:08,770 and the investments that we need to make in order to advance that work. 163 00:10:09,430 --> 00:10:14,090 And then dialoguing with our leadership to demonstrate, um, where, 164 00:10:14,100 --> 00:10:15,130 where we have risk, 165 00:10:15,180 --> 00:10:19,490 where we need to address risk and partnering with them on making decisions about 166 00:10:19,490 --> 00:10:21,410 priorities and investments. 167 00:10:23,230 --> 00:10:25,370 Got it. I love that. I think that makes a lot of sense, you know, 168 00:10:25,390 --> 00:10:28,970 and indefinitely is helpful to think about and understand, 169 00:10:28,970 --> 00:10:33,810 especially like you said, uh, having that good cyber hygiene really, um, 170 00:10:33,810 --> 00:10:36,290 can make a big difference in your vulnerability levels. 171 00:10:36,550 --> 00:10:38,970 So thank you so much for going through that. Now, 172 00:10:39,070 --> 00:10:40,650 before we wrap up our conversation, 173 00:10:40,950 --> 00:10:43,650 I'm wondering if you could talk about some of the best opportunities that you're 174 00:10:43,650 --> 00:10:45,650 seeing for growth and development in the future, 175 00:10:45,720 --> 00:10:48,210 both for yourself as well as the teams that you work with. 176 00:10:49,750 --> 00:10:51,130 So we are, uh, uh, 177 00:10:51,130 --> 00:10:54,970 Christiana Care is a very technology forward organization, 178 00:10:55,560 --> 00:10:57,170 meaning we, um, 179 00:10:57,230 --> 00:11:00,970 we really believe that through the digital means, 180 00:11:01,110 --> 00:11:04,970 we will be able to transform patient care and, and deliver better care. 181 00:11:05,710 --> 00:11:09,690 And so for, uh, from that perspective, we are doing, you know, 182 00:11:09,690 --> 00:11:13,370 things like hospital at home where we are, you know, 183 00:11:13,440 --> 00:11:17,890 admitting patients to their home as opposed to into a hospital room. Um, 184 00:11:17,890 --> 00:11:19,930 and if you think about, uh, 185 00:11:20,270 --> 00:11:24,530 if you've ever been in a hospital and you've visited somebody in a hospital, uh, 186 00:11:24,590 --> 00:11:29,210 on average inside a patient's room, there's about 17 different, 187 00:11:29,790 --> 00:11:34,050 um, medical devices that are attached to the patient or to the walls. Um, 188 00:11:34,100 --> 00:11:38,730 we're delivering all of that now to a patient's home, um, 189 00:11:38,800 --> 00:11:42,970 with the need to still, uh, secure all of that information. 190 00:11:43,390 --> 00:11:47,810 So that, that's one area where I'm really focused. I think that, you know, 191 00:11:47,850 --> 00:11:52,450 I agree with our organization's vision that this is the way to really improve 192 00:11:52,450 --> 00:11:56,880 patient care and grow our capabilities by expanding beyond the Ford Walls. 193 00:11:57,800 --> 00:11:58,020 Um, 194 00:11:58,020 --> 00:12:01,780 and the opportunity there is that we still have to secure all of those devices. 195 00:12:02,420 --> 00:12:06,300 I still need to do all that cyber hygiene that I referenced, um, 196 00:12:06,300 --> 00:12:09,980 whether it's inside the hospital or in somebody's home. So for me, 197 00:12:10,040 --> 00:12:13,420 the opportunities are really to be able to, um, 198 00:12:13,480 --> 00:12:18,300 be a leader in the healthcare cybersecurity space by identifying the 199 00:12:18,300 --> 00:12:22,900 architectures that are gonna be needed to do this kind of, you know, to, to, 200 00:12:22,920 --> 00:12:26,820 to meet the kind, the new care delivery model that, that, 201 00:12:26,930 --> 00:12:30,980 that I'm describing. It's not something that has been massively adapted. 202 00:12:31,440 --> 00:12:33,540 So from a cybersecurity perspective, 203 00:12:33,540 --> 00:12:37,260 there's still a lot of opportunity to be able to figure out how to do this and 204 00:12:37,280 --> 00:12:41,340 do this well. And what's exciting for me in my role is that I get to do it. 205 00:12:41,660 --> 00:12:46,220 I get to figure it out and hopefully, uh, hopefully, um, 206 00:12:46,280 --> 00:12:51,260 be able to then deliver a security architecture that healthcare organizations of 207 00:12:51,260 --> 00:12:55,900 the future, um, can, can adopt to, um, 208 00:12:55,930 --> 00:12:57,980 meet these new care delivery models. 209 00:12:59,660 --> 00:13:01,800 That's amazing. I I love that. What a, 210 00:13:01,840 --> 00:13:05,400 a great time to be in healthcare and in such a fun and interesting challenge, 211 00:13:05,540 --> 00:13:09,560 I'm sure. Honey, thank you so much for joining us on the podcast today, today. 212 00:13:09,560 --> 00:13:12,760 This has been a really awesome discussion. I've learned a lot, 213 00:13:12,820 --> 00:13:15,760 and I'm looking forward to meeting you in person as well at our Health IT 214 00:13:15,760 --> 00:13:17,760 Digital Health and Revenue Cycle event in October, 215 00:13:18,090 --> 00:13:21,400 where I know we'll just be able to continue this discussion, um, and, 216 00:13:21,420 --> 00:13:23,920 and really talk about a lot more as well. Well. 217 00:13:24,600 --> 00:13:27,730 It's been a true pleasure. Thank you for having me on this podcast, 218 00:13:28,150 --> 00:13:32,970 and I too am looking forward to continuing the conversation this fall and 219 00:13:32,970 --> 00:13:33,803 meeting you in person. 220 00:13:37,920 --> 00:13:41,010 It's so important for leaders at the top of organizations to keep learning, 221 00:13:41,040 --> 00:13:42,890 stay sharp, grow their networks, 222 00:13:43,440 --> 00:13:46,610 help our audience better do this in a more simplified, personalized, 223 00:13:46,630 --> 00:13:50,570 and meaningful way. Becker's Healthcare has launched my bhc, 224 00:13:51,080 --> 00:13:54,090 it's your trusted Becker's healthcare experience and more with content, 225 00:13:54,090 --> 00:13:56,410 connections, events and learning opportunities. 226 00:13:57,080 --> 00:14:01,930 Join the community free of charge@www.my dot becker's hospital 227 00:14:01,930 --> 00:14:04,010 review.com, and we'll see you there.