1 00:00:04,780 --> 00:00:06,270 This is the Becker's Healthcare Podcast, 2 00:00:06,340 --> 00:00:07,950 created by the team of Becker's Healthcare, 3 00:00:08,110 --> 00:00:11,150 a multimedia company devoted to the people who power us healthcare. 4 00:00:11,460 --> 00:00:15,430 Four new 15 minute episodes are released daily containing industry news analysis 5 00:00:15,430 --> 00:00:16,230 and thought leadership. 6 00:00:16,230 --> 00:00:20,270 From powerful healthcare decision makers Support our show by leaving it a five 7 00:00:20,270 --> 00:00:23,550 star rating and review on Apple Podcast or other platforms you use. 8 00:00:23,700 --> 00:00:26,790 It's a chance to tell us what you like about the show and act on your feedback. 9 00:00:26,790 --> 00:00:28,750 Thanks for listening. Now here's the episode. 10 00:00:32,380 --> 00:00:34,670 This is Laura Dedo with the Becker's Healthcare Podcast. 11 00:00:35,330 --> 00:00:37,630 I'm thrilled today to be joined by Menin Kakar, 12 00:00:37,750 --> 00:00:40,790 who's cybersecurity executive director at Providence. Man, 13 00:00:40,860 --> 00:00:42,590 it's a pleasure to have you on the podcast today. 14 00:00:43,770 --> 00:00:46,360 Thank you so much for having me. Looking forward to the discussion. 15 00:00:47,840 --> 00:00:48,120 Absolutely. 16 00:00:48,120 --> 00:00:51,480 And I know this is gonna be a great one because there's so much happening in the 17 00:00:51,480 --> 00:00:55,080 cybersecurity space, especially with healthcare providers, hospitals, 18 00:00:55,080 --> 00:00:57,120 and health systems, you know, across the board. 19 00:00:57,470 --> 00:01:01,520 Certainly this is something that's top of mind for executives and executive 20 00:01:01,520 --> 00:01:04,360 teams. And so I'm looking forward to hearing more about what you're doing at 21 00:01:04,360 --> 00:01:06,920 Providence. But before we dive into that discussion, 22 00:01:06,920 --> 00:01:09,200 can you tell us a little bit more about yourself and your background? 23 00:01:10,540 --> 00:01:14,430 Yeah, absolutely. Um, Monan Cooker, I, I'm at Providence. 24 00:01:14,430 --> 00:01:18,590 I've been with Providence for about three years now. Before that, I was, uh, 25 00:01:18,630 --> 00:01:22,950 I spent a long time in cybersecurity and IT consulting with 26 00:01:23,510 --> 00:01:27,510 EY and Deloitte. And yes, I'm a technology enthusiast. 27 00:01:27,540 --> 00:01:31,310 I've spent a lot of time just thinking with various technologies, um, 28 00:01:31,770 --> 00:01:34,070 at work and outside of work. 29 00:01:34,250 --> 00:01:38,670 So technology is pretty fascinating. And just being in cybersecurity, 30 00:01:38,730 --> 00:01:43,470 the intersection of the various technologies and risks and business challenges, 31 00:01:43,500 --> 00:01:45,430 it's a fascinating space to, to be in. 32 00:01:47,030 --> 00:01:49,030 Absolutely. And you know, from your perspective, 33 00:01:49,940 --> 00:01:51,310 what got you interested in healthcare? 34 00:01:51,310 --> 00:01:55,150 Obviously cybersecurity is needed across so many different in industries, 35 00:01:55,290 --> 00:01:56,750 so why choose healthcare? 36 00:01:59,270 --> 00:02:02,870 I think being in consulting, I worked across, uh, 37 00:02:03,430 --> 00:02:06,630 a large variety of industries and finance. 38 00:02:07,540 --> 00:02:12,470 Finance sector is obviously one of the leading invest areas that has a 39 00:02:12,470 --> 00:02:16,670 lot of investment in cybersecurity and healthcare by nature 40 00:02:17,290 --> 00:02:19,990 of the risks it possesses, uh, 41 00:02:20,210 --> 00:02:22,630 in terms of patient data, 42 00:02:22,810 --> 00:02:26,550 in terms of making sure critical services are available, um, 43 00:02:27,050 --> 00:02:30,810 and it technology quickly becoming, 44 00:02:30,990 --> 00:02:35,450 and digital transformations quickly becoming a key component of how healthcare 45 00:02:35,450 --> 00:02:38,450 cyber, how, how healthcare is delivered. 46 00:02:38,790 --> 00:02:41,810 It was an interesting space where new things were being developed, 47 00:02:41,990 --> 00:02:46,290 new challenges were being thought about and how we are going to think about 48 00:02:46,320 --> 00:02:47,570 solving these challenges. 49 00:02:48,110 --> 00:02:52,980 So it was more of it being new in terms of 50 00:02:53,260 --> 00:02:54,580 a new thought process for, 51 00:02:54,960 --> 00:02:59,440 for similar challenges that finance the financial industry have been solving for 52 00:02:59,440 --> 00:03:02,120 a long time, or the defense sector was solving for the long, for, 53 00:03:02,140 --> 00:03:04,120 for a very long time. But in healthcare, 54 00:03:04,120 --> 00:03:08,840 we have to reimagine all these things because there was a direct component of 55 00:03:08,840 --> 00:03:12,360 patient safety interacting with patients, 56 00:03:12,840 --> 00:03:16,070 interacting with clinicians and physicians that we should, 57 00:03:16,070 --> 00:03:18,390 we shouldn't think of them as technology experts. 58 00:03:18,390 --> 00:03:21,710 Some of them are great technologists, uh, but, 59 00:03:21,730 --> 00:03:26,430 but the large landscape within healthcare is, is not about technologists. 60 00:03:26,530 --> 00:03:29,630 And bringing that perspective and bridging that gap is, uh, 61 00:03:30,090 --> 00:03:31,390 was an exciting challenge to me. 62 00:03:33,160 --> 00:03:36,400 Absolutely. Well, that's fantastic and certainly, you know, uh, like you said, 63 00:03:36,620 --> 00:03:40,440 an important and emerging field within the technology space as well as then 64 00:03:40,440 --> 00:03:43,320 needing a lot more from the cybersecurity perspective. 65 00:03:43,890 --> 00:03:47,280 Could you tell me about your cybersecurity program and team at Providence? 66 00:03:47,500 --> 00:03:50,400 How did you design the program and what really, you know, 67 00:03:50,400 --> 00:03:52,360 is unique about what you're doing? I. 68 00:03:53,330 --> 00:03:54,163 Think this is a, 69 00:03:54,490 --> 00:03:59,210 a very interesting question because when we thought about when, 70 00:03:59,280 --> 00:04:03,450 when our CSO Adams was talking about how he wants to build the cybersecurity 71 00:04:03,450 --> 00:04:05,450 program, we went back and forth on, you know, 72 00:04:05,790 --> 00:04:07,450 how are we going to reimagine things? 73 00:04:07,550 --> 00:04:12,450 How are we going to bring cybersecurity to a health system that 74 00:04:12,470 --> 00:04:15,010 has been around for, for so long? 75 00:04:15,510 --> 00:04:19,930 And is is in this intersection of rolling out so many new digital technologies, 76 00:04:20,710 --> 00:04:24,490 how we deliver patient care is being rethought and technology is being a big 77 00:04:24,720 --> 00:04:29,010 component as part of it, and therefore cyber risks, uh, 78 00:04:29,070 --> 00:04:33,010 become more prevalent. We started thinking about, you know, 79 00:04:33,010 --> 00:04:35,810 we should think about cybersecurity as a consistent, 80 00:04:36,880 --> 00:04:38,300 the approach needs to be consistent. 81 00:04:38,560 --> 00:04:43,260 So we picked the NIST cybersecurity framework as the, 82 00:04:43,260 --> 00:04:45,860 the core component around which we built our program. 83 00:04:46,440 --> 00:04:48,100 So as we started designing it, 84 00:04:48,100 --> 00:04:53,020 we spent a lot of time thinking about what problems was the cybersecurity 85 00:04:53,020 --> 00:04:57,460 framework trying to address. Like it really bridges technical controls in a, 86 00:04:57,800 --> 00:05:01,900 in a language that is not as technical with identify, protect, detect, 87 00:05:02,140 --> 00:05:05,540 response and recover. Like we can talk about those things with, uh, 88 00:05:06,370 --> 00:05:10,130 with enough examples from real world that have nothing to do with technology. 89 00:05:10,670 --> 00:05:14,970 So we picked the NIST cybersecurity framework as the core component around which 90 00:05:14,990 --> 00:05:18,410 we developed the, the framework developed our program. 91 00:05:18,990 --> 00:05:22,970 And as we started doing that, we identified key pillars that are well, 92 00:05:23,210 --> 00:05:26,090 identity and access management is a key component. How do we bring, 93 00:05:26,940 --> 00:05:27,970 bring on physicians? 94 00:05:27,990 --> 00:05:32,410 How do we manage their lifecycle of being able to go from one system to the 95 00:05:32,410 --> 00:05:37,330 other in a seamless way to deliver patient care without a lot 96 00:05:37,330 --> 00:05:40,450 of technology interruptions? And then how do we, 97 00:05:40,450 --> 00:05:44,050 from a security operations perspective, are always 24, uh, 98 00:05:44,110 --> 00:05:45,530 by seven eyes on glass. 99 00:05:45,550 --> 00:05:49,570 We are monitoring for new stress and how do we respond and recover? 100 00:05:50,030 --> 00:05:52,170 So we picked the new cybersecurity framework, 101 00:05:52,170 --> 00:05:55,370 we picked a few key functions that we wanted to, to build. 102 00:05:55,870 --> 00:05:59,880 And then another component was building the function out, uh, in, 103 00:06:00,220 --> 00:06:04,800 in our offshore capacity over in India so that we have security 104 00:06:04,800 --> 00:06:09,400 operations in the US that are monitoring and are able to quickly respond to 105 00:06:09,720 --> 00:06:12,920 incidents that are happening within the US time zone. But at the same time, 106 00:06:12,980 --> 00:06:17,040 we have a team out in India that is also providing the same level of visibility, 107 00:06:18,180 --> 00:06:21,350 same amount of eyes on glass vigilance to the threats, 108 00:06:21,650 --> 00:06:24,790 and they can work with our S teams if they see something. 109 00:06:25,250 --> 00:06:30,190 So making sure we are, we have a consistent framework, 110 00:06:30,190 --> 00:06:34,310 we build the capabilities on the pillars and functions around those, uh, 111 00:06:34,310 --> 00:06:38,750 components of the framework. And then having 24 by seven availability, 112 00:06:38,900 --> 00:06:40,270 that was a key component in, 113 00:06:40,450 --> 00:06:44,460 in how we designed overall our cybersecurity program. 114 00:06:44,600 --> 00:06:47,900 And then there are a lot of components of maturity in itself. 115 00:06:47,900 --> 00:06:51,500 Like at the core of it, cybersecurity, uh, is, 116 00:06:51,840 --> 00:06:54,940 is a service provider to our technology teams, to our, 117 00:06:56,080 --> 00:07:00,060 to our physicians and clinicians. So from a cybersecurity pillar itself, 118 00:07:00,360 --> 00:07:05,100 we have to rethink about how we deliver our services to our customers. 119 00:07:05,600 --> 00:07:06,420 And towards that, 120 00:07:06,420 --> 00:07:10,980 we spend a lot of time building a program management mentality 121 00:07:11,190 --> 00:07:13,780 where we have, we have the right engineers, 122 00:07:13,780 --> 00:07:16,260 we have the engineers working with the program managers, 123 00:07:16,680 --> 00:07:21,060 so we built a lot of people processing technologies around how we deliver these 124 00:07:21,220 --> 00:07:24,340 services. It is one thing to build a capability, uh, 125 00:07:24,480 --> 00:07:29,460 but delivering consistently and in a manner that the 126 00:07:29,460 --> 00:07:33,220 service can be consumed by the customers. That's a whole different challenge. 127 00:07:33,280 --> 00:07:36,780 So we spend a lot of time figuring out how we are going to deliver our cyber 128 00:07:37,060 --> 00:07:40,460 services, and we've been, it, it's a learning process. It's, 129 00:07:40,460 --> 00:07:42,740 we try a few things, some things work, some things don't. 130 00:07:42,960 --> 00:07:47,060 We spend a lot of time just kind of reevaluating, uh, what we've already built. 131 00:07:47,060 --> 00:07:50,860 So that's kind of how we continue to build and evolve our cybersecurity 132 00:07:50,860 --> 00:07:51,693 capability. 133 00:07:52,760 --> 00:07:54,060 That's fascinating to hear, 134 00:07:54,240 --> 00:07:57,060 and I really appreciate you talking through that because I know a lot of 135 00:07:57,060 --> 00:08:00,340 organizations are sitting in a similar place as, as you and, 136 00:08:00,360 --> 00:08:04,180 and where when you first joined Providence and trying to think through, 137 00:08:04,280 --> 00:08:05,820 you know, how do we, um, 138 00:08:06,200 --> 00:08:10,180 really transform and update and innovate within our cybersecurity space? 139 00:08:10,210 --> 00:08:13,500 What do we really need as healthcare becomes more, uh, 140 00:08:13,630 --> 00:08:18,540 integrated with technology and whether it's the healthcare delivery side or, um, 141 00:08:18,640 --> 00:08:19,330 you know, 142 00:08:19,330 --> 00:08:22,860 integrating technology into the operational aspects of the health system, 143 00:08:22,880 --> 00:08:26,100 it seems like there's just a lot of opportunities, um, 144 00:08:26,200 --> 00:08:29,980 and a lot of potential vulnerabilities. And so I can imagine that, you know, 145 00:08:29,980 --> 00:08:33,260 certainly we'll keep some folks up at night, but at the same time, you know, 146 00:08:33,320 --> 00:08:35,740 if you, um, have the right approach, 147 00:08:35,840 --> 00:08:40,260 it seems like you'd be able to at the very least, mitigate some of that risk. 148 00:08:41,940 --> 00:08:45,830 Yeah, and, and I think that's, that's the key to the approach, right? In, 149 00:08:45,910 --> 00:08:48,590 in the cybersecurity space, we often talk about, well, 150 00:08:48,770 --> 00:08:52,630 do the CISOs ever sleep at night? How do people sleep at night? And, 151 00:08:53,830 --> 00:08:55,760 and I think our philosophy is that if, 152 00:08:55,860 --> 00:09:00,080 if you are prepared or if you've gone above and beyond in making sure that you 153 00:09:00,080 --> 00:09:03,200 have the right controls, you have the right people in place, you, 154 00:09:03,300 --> 00:09:06,440 you enable them with technologies that allow them to, 155 00:09:06,940 --> 00:09:09,840 to provide services and do their jobs effectively and efficiently. 156 00:09:09,840 --> 00:09:13,640 And if we are prepared, we will be able to, 157 00:09:14,060 --> 00:09:18,480 to deal with certain challenges and issues. The, the fact of the matter is, 158 00:09:18,480 --> 00:09:23,360 the reality is every organization is susceptible to cybersecurity, uh, attacks. 159 00:09:23,370 --> 00:09:24,240 There is a, 160 00:09:24,250 --> 00:09:27,920 there is an industry understanding within cybersecurity that it's not a matter 161 00:09:28,020 --> 00:09:31,120 of, uh, if, but it's a matter of when. 162 00:09:31,500 --> 00:09:34,840 So if it is a matter of when Sotheby's going to be, uh, 163 00:09:35,020 --> 00:09:37,160 facing or dealing with cybersecurity attacks, 164 00:09:37,350 --> 00:09:40,000 then the conversation needs to be how are we going to, 165 00:09:40,380 --> 00:09:44,040 to respond and recover from those? Or how do we protect ourselves from, 166 00:09:44,470 --> 00:09:46,800 from those or mitigate as much as possible? 167 00:09:47,700 --> 00:09:51,040 So we spend a lot of time in making sure that we have the right controls, 168 00:09:51,500 --> 00:09:54,400 we test and validate the controls and make sure that, uh, 169 00:09:54,740 --> 00:09:58,800 if there is a challenge, uh, the team will rise up to it. And, you know, 170 00:09:58,900 --> 00:10:03,000 at Providence, we work very closely with our technology teams. 171 00:10:03,160 --> 00:10:05,200 A big component of cybersecurity is within, 172 00:10:05,380 --> 00:10:09,920 within the wider technology teams and within the business teams that interact 173 00:10:09,920 --> 00:10:12,440 with the systems. So we spend a lot of time with the, 174 00:10:12,470 --> 00:10:17,440 with the different leaders on their teams. We have a few groups where we, 175 00:10:18,620 --> 00:10:22,760 we talk about some of these things like data protection and third party risk 176 00:10:22,760 --> 00:10:26,760 management, biomedical security. It's not a, 177 00:10:27,130 --> 00:10:31,000 these are not problems that cybersecurity can just solve within cybersecurity. 178 00:10:31,330 --> 00:10:36,040 These are things that we can only solve if we partner well and we partner 179 00:10:36,150 --> 00:10:39,160 effectively with the rest of the organization. Um, 180 00:10:39,340 --> 00:10:42,400 and that is a key component of how we place the function. Uh, 181 00:10:43,180 --> 00:10:45,200 our program managers or engineers, 182 00:10:45,200 --> 00:10:49,320 they spend a lot of time talking to the different teams that interact with 183 00:10:49,320 --> 00:10:52,200 technology to understand how they use the systems, 184 00:10:52,620 --> 00:10:57,160 and then we bring in the risk perspective of how can somebody try and, uh, 185 00:10:57,630 --> 00:11:01,000 adversely impact problems from a cybersecurity perspective and what do we need? 186 00:11:01,580 --> 00:11:05,520 So we spend a lot of time really interacting with, with the different teams. 187 00:11:05,520 --> 00:11:06,353 And I think that is, 188 00:11:06,380 --> 00:11:10,440 having been in consulting and having seen so many industries, so many programs, 189 00:11:10,900 --> 00:11:11,800 uh, being built, 190 00:11:12,400 --> 00:11:16,240 I think the ones that succeed are the ones that really come together and 191 00:11:16,240 --> 00:11:19,680 collectively solve problems rather than say, Hey, we are cybersecurity. 192 00:11:19,700 --> 00:11:23,360 We wrote a policy, and if you don't follow it, well that's too bad. 193 00:11:23,360 --> 00:11:24,240 That's your mistake. 194 00:11:24,620 --> 00:11:28,920 That's not necessarily how you build an effective organization. And, 195 00:11:29,860 --> 00:11:32,120 and in order to kind of really address risks, 196 00:11:32,260 --> 00:11:35,920 you have to meet the customers where they are, understand their challenges, 197 00:11:36,180 --> 00:11:37,600 how do they interact with technologies, 198 00:11:37,860 --> 00:11:41,520 and then write the policies based on that, and then have the controls put in. 199 00:11:42,300 --> 00:11:46,680 That's kind of what, uh, the Providence Cybersecurity spends a lot of, uh, 200 00:11:46,830 --> 00:11:48,440 conscious time and effort around. 201 00:11:50,360 --> 00:11:52,540 That's so interesting to hear. And you know, I, 202 00:11:52,580 --> 00:11:55,720 I really appreciate that perspective because I can imagine, you know, 203 00:11:55,720 --> 00:11:57,560 certainly in a traditional sense, 204 00:11:57,680 --> 00:12:02,000 a lot of the ways that the technology department or division and teams are 205 00:12:02,280 --> 00:12:04,360 assembled are exactly as you mentioned, you know, 206 00:12:04,960 --> 00:12:08,160 building something and saying here, you know, make it work, . Um, 207 00:12:08,260 --> 00:12:12,360 and so especially with on the cybersecurity end, you know, when you, uh, 208 00:12:12,410 --> 00:12:16,120 bring on folks, um, to your team and, and, 209 00:12:16,140 --> 00:12:20,680 and have this set up to where you're co building or co-creating what's gonna be 210 00:12:20,680 --> 00:12:25,520 needed in the policies, are there any other, uh, I guess skills or, or, 211 00:12:25,580 --> 00:12:29,720 or something you look for in the people that you're bringing on the team to make 212 00:12:29,720 --> 00:12:33,600 sure that, you know, you're able to execute on this, um, 213 00:12:34,270 --> 00:12:36,680 very kind of collaborative and unique method of, 214 00:12:36,680 --> 00:12:40,520 of making sure that your policies and procedures are up to, up to snuff, 215 00:12:40,560 --> 00:12:42,360 I guess, in, in doing what they need to be doing? 216 00:12:43,810 --> 00:12:47,420 Yeah, absolutely. I think as we've been, uh, over the last, uh, 217 00:12:47,420 --> 00:12:51,700 three years when we started building the team and hiring, hiring folks, 218 00:12:52,710 --> 00:12:57,580 there was a lot of time spent into what it is that we are looking for in 219 00:12:57,580 --> 00:13:02,100 people who joined Providence, right? Providence as, as an organization is, 220 00:13:03,210 --> 00:13:05,430 is very close to its mission. Um, 221 00:13:05,810 --> 00:13:10,310 and that was something that we were, uh, that is stable stakes. 222 00:13:10,310 --> 00:13:14,750 Like anybody who comes in has to understand that Providence is a mission-driven 223 00:13:14,750 --> 00:13:16,670 organization at the core of it, 224 00:13:16,670 --> 00:13:21,590 like if we keep everything apart, at the core of it, 225 00:13:21,590 --> 00:13:26,590 Providence is trying to provide patient care to the communities in need. 226 00:13:27,250 --> 00:13:31,950 And that's, that's what we are here to do. And the only way, and this is again, 227 00:13:31,950 --> 00:13:35,950 this is my personal perspective, but the way we provide that is through empathy. 228 00:13:36,530 --> 00:13:39,190 We have to empathize with the people that we are serving. 229 00:13:39,330 --> 00:13:43,550 We have to understand and appreciate their challenges and then provide what we 230 00:13:43,610 --> 00:13:47,070 can to make their lives a little better. So I think from that perspective, 231 00:13:47,070 --> 00:13:49,230 when it comes to building the cybersecurity team, 232 00:13:50,090 --> 00:13:53,590 we are really focused on bringing in people who understand that culture of 233 00:13:53,620 --> 00:13:58,430 empathy. We, we spend a lot of time thinking about like, 234 00:13:58,490 --> 00:13:58,950 oh, you know, 235 00:13:58,950 --> 00:14:02,070 there are rock stars and there are heroes and there are individual contributors 236 00:14:02,070 --> 00:14:05,750 who are like, you know, I, I know this problem and I will solve this problem. 237 00:14:05,900 --> 00:14:10,270 Like that I mentality doesn't necessarily work in, in, 238 00:14:10,410 --> 00:14:14,870 in what we are building and what we've seen really work. So culture is, 239 00:14:15,010 --> 00:14:18,270 is really important in terms of who we bring on, 240 00:14:18,270 --> 00:14:20,670 what is their mindset to solving problems. 241 00:14:20,730 --> 00:14:23,470 It cannot be like I have the solution. It has to be, 242 00:14:23,690 --> 00:14:26,390 we will work together to figure out what the right solution is, 243 00:14:26,770 --> 00:14:31,750 and I bring in enough technical expertise or experience or real world 244 00:14:31,750 --> 00:14:35,150 experience where we can form the conversation in the right way, 245 00:14:35,150 --> 00:14:38,910 where we can help prioritize the different challenges that are being laid out 246 00:14:39,290 --> 00:14:43,790 or, or how do we engage people like that is a key component. 247 00:14:43,930 --> 00:14:47,910 So whether it is bringing on an identity and access management engineer, 248 00:14:48,050 --> 00:14:52,360 or it is a security operations person or a program manager, we, 249 00:14:52,780 --> 00:14:55,720 we are very mindful of figuring out what is the key requirement, 250 00:14:55,720 --> 00:15:00,520 the technical requirement of that particular role that should definitely be met. 251 00:15:00,860 --> 00:15:04,000 But at the same time, a huge component is, is this person, 252 00:15:04,360 --> 00:15:05,360 somebody who can collaborate, 253 00:15:05,420 --> 00:15:10,200 is this person who brings in the same mission values that Providence has of 254 00:15:10,200 --> 00:15:13,240 empathy, of understanding, of collaborating, um, 255 00:15:14,140 --> 00:15:18,080 and does this person have the, have the personality of, yep, 256 00:15:18,080 --> 00:15:20,520 this is a problem we need to solve. Let's roll up our sleeves, 257 00:15:20,520 --> 00:15:23,040 let's figure out how we are going to solve it. Um, 258 00:15:23,660 --> 00:15:27,560 and that's kinda what we've built the team around. And you know, there, 259 00:15:27,800 --> 00:15:29,880 there's a Steve Jobs quote that says that, you know, 260 00:15:29,880 --> 00:15:33,960 hire the right people and let them tell you what to do. Uh, 261 00:15:34,140 --> 00:15:36,640 that's kind of how we, we built the teams, 262 00:15:36,710 --> 00:15:40,000 like what tools and technology should we bring from cybersecurity perspective? 263 00:15:40,270 --> 00:15:43,440 Everybody in cybersecurity has a perspective on some of these things, 264 00:15:43,500 --> 00:15:45,680 has an opinion, knows what's happening out there, 265 00:15:46,260 --> 00:15:50,480 but when the team comes together and says that, hey, this tool is, 266 00:15:50,900 --> 00:15:55,240 is much better in terms of the challenges that we are actually seeing on the 267 00:15:55,240 --> 00:15:59,000 ground, that's a conversation that everybody can rally around instead of, 268 00:15:59,220 --> 00:16:02,760 you know, unilateral decisions being made by certain people, uh, 269 00:16:02,760 --> 00:16:06,480 which I've seen through my career in different organizations happen. 270 00:16:06,780 --> 00:16:08,080 So we are very mindful about, 271 00:16:09,200 --> 00:16:12,430 about that aspect of hiring and bringing in the right talent, uh, 272 00:16:12,430 --> 00:16:16,230 because once we bring in the people and kind of just let them do what, uh, 273 00:16:16,660 --> 00:16:18,710 what they're, what they're supposed to, 274 00:16:18,710 --> 00:16:20,510 and we encourage and they enable them to do that, 275 00:16:20,890 --> 00:16:22,590 things really start moving quickly. 276 00:16:25,280 --> 00:16:28,620 That's great to hear and certainly very inspiring in terms of, you know, 277 00:16:28,720 --> 00:16:32,140 how working together as a team really makes a difference. Now, 278 00:16:32,140 --> 00:16:35,700 before we wrap up our conversation, I wanted to ask really quick about, 279 00:16:36,120 --> 00:16:36,650 you know, 280 00:16:36,650 --> 00:16:41,460 cybersecurity as a part of the overall broader health system executive strategy. 281 00:16:42,020 --> 00:16:46,100 I know cybersecurity is a huge risk for hospitals and health systems across the 282 00:16:46,100 --> 00:16:46,600 board. 283 00:16:46,600 --> 00:16:51,540 So what is crucial when communicating this risk and need for resources to the 284 00:16:51,540 --> 00:16:54,980 board and senior leadership? I can imagine, and it's clear providence, 285 00:16:54,980 --> 00:16:57,460 they really understand why this is a priority. 286 00:16:57,460 --> 00:17:00,220 But for some organizations that are dealing with so much, uh, 287 00:17:00,860 --> 00:17:04,020 challenges right now financially and in so many competing interests, 288 00:17:04,080 --> 00:17:06,300 why does cybersecurity and how, you know, 289 00:17:06,300 --> 00:17:10,580 really need the resources and how do you impart that, um, to, to, um, 290 00:17:10,730 --> 00:17:11,580 executive leaders? 291 00:17:12,950 --> 00:17:17,480 Yeah, absolutely. I think, um, I think again on, on this one, I kind of, uh, 292 00:17:18,720 --> 00:17:22,920 I kind of piggyback on some of the experiences that I've had. Uh, 293 00:17:23,660 --> 00:17:26,760 you know, kind of just working with a lot of executives and boards, uh, 294 00:17:26,820 --> 00:17:31,240 in my consulting days. And context setting to me is, 295 00:17:31,500 --> 00:17:33,840 is a key component of it. Um, 296 00:17:34,220 --> 00:17:37,160 and what I mean by that is when we talk about cybersecurity, 297 00:17:37,160 --> 00:17:41,920 cybersecurity is a complex technology, uh, problem. It's a technical concept, 298 00:17:42,620 --> 00:17:47,160 but we don't necessarily have to talk about cybersecurity in those technical 299 00:17:47,530 --> 00:17:49,520 terms with everybody we talk to. 300 00:17:50,500 --> 00:17:54,680 And context setting of why should somebody care about what we are talking about 301 00:17:54,680 --> 00:17:59,320 from a cybersecurity perspective is critical, uh, towards that. As an example, 302 00:17:59,750 --> 00:18:03,360 when we talk to executive and boards, we are very, 303 00:18:03,360 --> 00:18:06,600 very mindful of not saying, um, 304 00:18:07,170 --> 00:18:08,720 broad statements like, you know, 305 00:18:08,720 --> 00:18:11,160 we have x million of vulnerabilities in our environment. 306 00:18:11,180 --> 00:18:14,870 We need the dollar to to resolve that. Sounds, 307 00:18:16,070 --> 00:18:18,290 sounds like a huge large scale, 308 00:18:18,790 --> 00:18:21,250 big magnitude problem when we throw out numbers like that. 309 00:18:21,630 --> 00:18:25,490 But even as somebody who's in cybersecurity who's been around for 10 years, 310 00:18:25,690 --> 00:18:27,650 I wouldn't know what to do with that information. 311 00:18:28,110 --> 00:18:31,170 So we try not to make broad statements or, 312 00:18:32,150 --> 00:18:35,650 or statements that are just like extremely technical and use words like, oh, 313 00:18:35,650 --> 00:18:38,770 we have c we have vulnerabilities, and all those kind of things. 314 00:18:39,110 --> 00:18:44,090 We really like to set the context based on the audience. So in terms of, uh, 315 00:18:44,470 --> 00:18:46,850 in terms of our conversations with executives, we, 316 00:18:46,990 --> 00:18:50,370 we really put in a lot of effort in trying on, uh, 317 00:18:50,870 --> 00:18:52,410 how we present the challenges. 318 00:18:52,430 --> 00:18:56,850 So we talk about it in terms of we have biomedical devices, uh, 319 00:18:56,880 --> 00:19:01,730 that have cybersecurity risks because they do not have the latest software. 320 00:19:02,480 --> 00:19:05,970 Okay, how do we bring them the latest software? Well, here are, 321 00:19:06,080 --> 00:19:09,090 here are some options. We can work with vendors. Well, what do, 322 00:19:09,090 --> 00:19:12,730 what happens if we don't do that? Um, here are some of the, 323 00:19:12,910 --> 00:19:17,090 the challenges that we are seeing in the industry. The F b I, the, 324 00:19:17,390 --> 00:19:20,530 the federal government are coming out with guidelines. 325 00:19:20,530 --> 00:19:24,490 There are brands and their attacks that are happening in edges and industries 326 00:19:24,490 --> 00:19:28,250 that have really impacted their systems and their operations. 327 00:19:28,510 --> 00:19:32,330 So we try to have a conversation with the audience based on the right context. 328 00:19:33,400 --> 00:19:37,330 It's not about the vulnerability that is about the risk and impact to the 329 00:19:37,370 --> 00:19:39,690 organization that that vulnerability brings. 330 00:19:40,110 --> 00:19:44,610 So we really spend a lot of time within our organization trying to understand 331 00:19:45,160 --> 00:19:49,250 what the risk and the impact is and how do we communicate it to the executives 332 00:19:49,250 --> 00:19:53,130 in LA in a non-technical, but a real world. 333 00:19:53,350 --> 00:19:57,450 How does it impact the business? How does it impact providence kind of way. So, 334 00:19:58,070 --> 00:20:02,130 and I think that context setting does go a a long way because 335 00:20:02,820 --> 00:20:04,930 executives are like, okay, now I understand. Okay, 336 00:20:04,930 --> 00:20:09,570 this is why we need to figure out how to upgrade our networks or biomedical 337 00:20:09,600 --> 00:20:12,850 devices or our core infrastructure or our data centers, 338 00:20:13,190 --> 00:20:14,610 or why do we need to move to the cloud? 339 00:20:15,470 --> 00:20:20,410 So then it really furthers the dialogue in terms of here's what we 340 00:20:20,410 --> 00:20:22,690 need to do and here's what it would cost. 341 00:20:22,910 --> 00:20:26,170 Now let's have that conversation as to what are the priorities revenue. 342 00:20:26,670 --> 00:20:31,210 So it really is about, uh, in my perspective, context setting, 343 00:20:31,750 --> 00:20:36,050 um, in terms of risk and impact and what would the investments get. 344 00:20:36,510 --> 00:20:40,570 And if we have that conversation in a consistent, consistent manner, uh, 345 00:20:41,030 --> 00:20:43,170 it does bring about a lot of positive change. 346 00:20:45,920 --> 00:20:48,460 That's great advice and great to hear. Minan, 347 00:20:48,460 --> 00:20:50,540 thank you so much for joining us on the podcast today. 348 00:20:50,570 --> 00:20:52,300 This has been such a great conversation. 349 00:20:52,580 --> 00:20:56,540 I always appreciate hearing from Providence executives and leaders just because, 350 00:20:56,720 --> 00:21:00,420 you know, you have so much going on within the health system, um, and, and, 351 00:21:00,420 --> 00:21:02,180 and so I've really enjoyed this conversation. 352 00:21:02,180 --> 00:21:03,860 I look forward to connecting with you again soon. 353 00:21:05,530 --> 00:21:07,890 Absolutely. Thank you again for holding me. This was, uh, 354 00:21:08,200 --> 00:21:09,370 this was a good conversation. 355 00:21:13,920 --> 00:21:17,170 It's so important for leaders at the top of organizations to keep learning, 356 00:21:17,320 --> 00:21:18,970 stay sharp, grow their networks, 357 00:21:19,320 --> 00:21:22,370 help our audience better do this in a more simplified, personalized, 358 00:21:22,370 --> 00:21:26,570 and meaningful way. Becker's Healthcare has launched my B h c, 359 00:21:27,080 --> 00:21:30,090 it's your trusted Becker's healthcare experience and more with content, 360 00:21:30,120 --> 00:21:32,330 connections, events and learning opportunities. 361 00:21:33,040 --> 00:21:37,930 Join the community free of charge@www.my dot becker's hospital 362 00:21:37,930 --> 00:21:39,610 review.com and we'll see you there.