A

This is Laura Dardo with the Beckers Healthcare podcast. I'm thrilled today to be joined by Steven Ramirez, Chief Information security and Tech officer for renowned health Stephen, it's a pleasure to have you on the podcast today.

B

Hey Laura, great to be with you.

A

Absolutely. Now I know it's always fascinating to speak with you because you've got such a great big picture and future focused view of technology, cybersecurity, considering all the different things that are happening in healthcare today, AI as well as government policy changes and more. So you know, I'm looking forward to this conversation. But before we begin, for those who are just starting to listen to the Becker's healthcare podcast, can you introduce yourself and tell us a little bit more about your background?

B

Yes. Again, good to be with you. My name is Stephen Ramirez and I'm the Chief Information Security and Tech officer at Renown Health. I've been there for almost four years. Renown Health is up in Northern Nevada so it covers the Reno Tahoe area. We're integrated health system, four different locations and fresh transplant center, urgent care where the area trauma center. So really a lot of different service lines that we have that are to serve our community and looking to grow different components of that moving forward.

A

That's great to hear and I am excited to kind of talk to you because I think there's such a diverse patient population that you serve and certainly a lot of key considerations in that when you think about cybersecurity. So can you give us a little lay of the land what's happening right now? What are you is top of mind for you, the opportunities and headwinds that you have your eye on?

B

Well, there's a lot in cyber security I think that just, you know, AI is continuing to be a buzzword but a lot more of that's coming to fruition that we saw over the weekend that there was news that the Chinese government did the first ever AI autonomous attack on some various interest. So you know, we've been talking for it a long time to really say how is AI going to be used for the good, bad and the ugly. We finally saw how threat actors can leverage it to target various organizations. So that's something that as we're continuing to look at our cybersecurity posture, hygiene and emerging threats to really keep front and center of mind that AI is only going to get more sophisticated in tactics and techniques, but also somebody that might not have a lot of technical acuum is going to be able to do a lot more with getting up to speed and Becoming more sophisticated just on AI, being able to enable their overall tech ability that they used to not be able to do and really just help fast track a lot of the attacks from you know, phishing to social engineering to you know, being able to do reconnaissance, you know, before threat actors would look at your organization for weeks, months, etc. They can learn so much about the organization, you know, leadership, players, service lines, partners and all of that in a click of a button or a phrase. So that's really where we're having to stay up to speed and continue to evolve and make sure that we're addressing these risks as we move forward.

A

That makes a lot of sense and it's really fascinating to hear about the Chinese government that first ever autonomous attack using AI. When you look at AI within the healthcare space in particular, thinking through on the organization side, what are some of the things that chief information security officers and just any leaders within the healthcare space need to think about and when it comes to AI and they're trying to look at their strategy, trying to be safe, but at the same time wanting to be, you know, on the forefront of the technology in leveraging it to the best of their capabilities. So what do you really have to watch out for if you're a leader of a healthcare system trying to figure out, you know, what AI is going to make sense for you?

B

Well, it's really critical to have strong governance because there's a lot of different AI buzzwords and what is AI and not AI. So it's like there's machine learning, there's you know, just using it for searching, there's autonomous AI that these, you know, machine learning. Like there's, there's different components that make up AI. So it's like you first need to be educated on what is and isn't AI, how it's used in the organization, or as a subset of a variant of another application and or system. But it's also important to understand the build versus buy question as part of this governance structure that you really need to understand. Is this something that you want to go with a tried and true partner. So like the Microsoft of the world, the epics that you know, have embedded in roadmaps with AI versus you know, thinking that we're going to try to build it, create a lot of these components ourselves, that it's a lot more meantime to maturity, easier to implement, easier to manage, easier to secure if it's with one of your partners. So that's really very important to that. But also having strong data governance because Again, like a lot of different tools, it's dependent on data. If it's either, you know, from a machine learning, you know, looking at activities and components over time, or actually leveraging the data to make decisions. Because I know there's a lot of opportunity on that on both sides of the house, on looking at, you know, those two different types of AI. So it's, again, that's the importance of AI use cases, the crawl, run, walk, and also doing due diligence to really make sure that you are protecting your organization from a data protection standpoint, that there's a lot of different security tools that we can leverage to make sure that we're keeping everything in house, making sure that data isn't being misused and that we're really just supporting the clinicians in the intended use.

A

Absolutely, 100%. I think that's such helpful advice and really great bullet points to take back and understand and apply to your own organization. Now. I think, I think when you look at the future, you're thinking about growth from an organizational strategic standpoint. I know there's a lot of initiatives out there trying to, you know, continue to expand access to care and apply technology. What does it look like for you when you're thinking about growth and adding value to the organization overall? What's important for you to do in part to your executive team to make sure that on the cybersecurity side, everything is in top shape.

B

It's important for us to make sure that we're aligning to the strategy and growth of the organization just because of how technology is enabled and the digital front door, that we're continuing to grow, optimize and expand to really support our patients is that that's just expanding your risk profile. And it's really just important that everybody understands that when we're looking at various technology that, you know, we're able to always use good cybersecurity hygiene, good, good practices in place. And I think that that all goes into the cybersecurity culture, just the mindset. So it's really, again, important that as the CISO of the organization that we, we have various committees. So it's always important that we're, I always say, being storytellers. So we need to understand about educating people. Like we had just spoke to the first autonomous AI attack, you know, that's going to go out on being a blitz in, you know, my governance, risk and compliance, our audit and compliance steering committee, our operational compliance meeting, like really helping. Say, guys, this is a lot of what we've Been focusing on building the foundation, putting our investments and controls to help protect about this. So it's again building in that layered approach to really just make sure that we're protecting against today's threats and the threats of tomorrow with how technology is just continuing to evolve. So again, being a good partner, educating staff on what's going on in the world, because again, they're looking at, you know, headwinds and other strategic components on their side of the house. So it's really just important that if it's ingrained into people's DNA, they know cybersecurity is an important pillar to what we need to do as an organization, that it just helps become naturally. So that's just where again my role to help really just spread the gospel, I like to say internally, to really make sure that we're partnering with our business, that they understand what we're here to do, how we're here to help, and then around the frameworks and foundations that we're doing to make sure we're securing the organization.

A

That makes a lot of sense. And it's just really helpful to understand, I'm thinking from that lens of setting up the governance, the right committees, compliance and more. And from your perspective, as you see the landscape changing with AI and just becoming more sophisticated technologically, is there anything that you have to do differently with your teams or the cybersecurity and IT folks working with you? Are you looking for any skills, expertise or something that you're more often partnering with other organizations, again to make sure that you're in a great place?

B

No, I think that's a great question. I think the hype of AI really makes people think that we have to change our approach. But from cybersecurity practice, that if we focus on the fundamentals, I've always said that, that it'll set us up to be successful in any net new technology, emerging risk, etc. Because if you really think about looking at phishing social engineering, that's going to, you know, be some something that threat actors are using, you know, to try to target our organizations. If you're thinking about vulnerability management and patching, that's going to, you know, apply to AI and technologies as well. If you're talking about data governance and data management, that applies to that as well. Data loss prevention, that just becomes a little bit more paramount on, you know, the fast pace of data, it needing more data, looking at monitoring and alerting. So, you know, I can go on and on a lot of about this access controls, but again, if we're doing a lot of that very well, can really mature in some of these key areas that it'll set us up for success for. You know, how we want to use AI, how we can protect about protect our organization from threat actors, but also mishandling internally. So again, it's really sticking to those fundamentals will help us grow holistically regardless of what technology is out there. So it's really important to just articulate that, make sure that your cybersecurity strategy is sound and more focused on practices and principles than trying to nip off every net new tech and or risk that rolls around the corner. Kind of like emergency management, I like to have an all hazard approach that you know, we can't spend all day just thinking about, you know, what if this, what if that it needs to just be like we're going to focus on identity regardless of a type of attack. We're going to have, you know, alerting, isolation, etc associated with that. So again, really any cybersecurity hygiene practice approach can apply to technologies like AI and enable us to protect the organization just organically if we're doing our jobs well.

A

That's a great philosophy and just fascinating to think about having that true north and finding a way that you can really stay grounded no matter what happens. I'm curious too. You know, looking at the next year or so, I know a lot of organizations are seeing some financial challenges, potentially funding cuts and those kinds of things. And so you know, for those who may be tightening their belt straps a little bit, what is one risk or investment that's really still worth making this year, especially given, you know, how quickly things are changing the technology as well as the cybersecurity space.

B

Well, governance is free, so I think that it's always important. Strong governance goes a long way within the organization being creative in how you can attack different components. Like for example, we see a rise in phishing targeting various players. We've been invested a lot in technologies, awareness, training, etc. But I've also just looked at blocking certain roles from having external email. So it's like that's a no low cost concept. So I think that as we continue to look at the headwinds and potentially needing to, as you said, you know, look at cost reductions, you know, staying flat from our overall budgets. It's really important to think outside of the box. Do a lot of the foundational elements do those very well versus chasing all the shiny bright objects within it. I think focusing on identity, access managements of the most critical component I Consider myself an Identity junkie, that 80% of all cybersecurity events and attacks stem from an identity based attack. So if you think about multi factor authentication, privileged access management, identity governance, looking at, you know, into service accounts, looking into more than just those components, building a defense in depth, strategically on identity will go a long way for organizations. So I think any way that you can better focus on identity access management versus people coming and going from the organization, that that's of the utmost importance. And then having data in analytics help drive decisions moving forward that I like to use the example of the movie Moneyball, you know that they had the strategic and analytics guy that was going in to make, you know, different decisions on that, that, that really having analytics, we've talked about it for a long time. I think AI is where that can help us look at things on what's working well, you know, other areas that we can focus on and really just help us drive and be more tactical in this. And I think that again, yeah, just will go a long way in a good organizational culture as well because it takes everybody in the organization to be successful. And by having your end users fully trained, aware and you know, drinking the Kool aid on what we need to do, I like to say that it's really, really goes a long way because there are, are some of our bigger risk items we need to look at, but also our first line of defense. So always leveraging them to really help us fight our good fight for what we're doing at Renown.

A

Absolutely. I love that. And you know, when you speak about governance being so important and actually, you know, being a no cost way, you can be on some of the cyber security and attack fronts. Is there anything unique that you do at Renown that's worked particularly well and, or you know, looking into next year. Anything you're trying to do a little bit differently to meet the needs of the day?

B

Well, we're always trying to, we want to not be Swiss cheese on our intake process. So I think that building layers to that's super important. So our, our President's council team has final approval of a lot of the various projects that are coming in. We have a phase gate process as well. So that's a multifaceted group that has finance it, legal, you know, various stakeholders throughout the organization to look at different pieces. So that's a good governance structure. We also have an intake of doing cybersecurity assessments, AI assessments that we've rolled that out and looking at various subsets of that as well. So I Think that that's very important to make sure a technology that's coming in does or doesn't have AI capability, so that once you have it, you're not dealing with the problem after the fact. So getting that much information up front and then understanding how that tech's going to work in your ecosystem is part of an onboarding and review session. So again, as you're seeing, we have various layers and then ultimately I sign off on our DocuSign process before anything's purchased, because then that's ensuring that we did do a security review. Again, that's a lot more work, but puts the accountability on us to make sure that we're actually reviewing, looking at the cybersecurity posture, looking at any risk that some technologies might be bringing into the organization. But just again, multiple committees, it seems like it can be tiresome, but, you know, having different targeted components like us, having a governance risk and compliance that we can speak more to compliance, privacy and security aspects as well as data governance, which is a key component to that. And then having our, you know, committees on onboarding and looking at new technology from a strategic perspective, and then thinking about our auditing compliance committee, and then thinking about our business continuity and disaster recovery committee, and then our emergency management committee. So it's like we have so many various committees that are centralized on, you know, driving their strategic work streams, but there's always such a big subset on data protection, cybersecurity, and that that, that enables us to make sure that we have that seat at the table and we're partnering with the organization to really make sure that we have an understanding of where we're going, what we're currently doing, and being able to have those discussions as needed.

A

That's so helpful to understand. Thank you for digging a little bit deeper there. Now, before we wrap up, I'm curious, what do you see as some of the best opportunities for growth in the future?

B

Well, I think to what you said before, I think that we're getting to a point that technology and AI will be able to help push the envelope on doing some, you know, maybe level one, level two stuff. I think voice calling and AI is going to be a huge opportunity for driving costs down from a service desk perspective. Because if you think about it, you know, we've come a long way in just that evolution of calling a service desk. You talk to the live agent. Then we've gone to like the IVR perspective where you can press 1 for this issue, press 2 for this to now to the point that we have Autonomous AI that you're seeing, like with Alexa and Siri's, who's probably going to turn on, as I say, her name, but really that conversational component that if you think about being able to build knowledge base for some of the key areas that we're seeing in it, from, you know, reporting an incident to I need my password reset to how do I do this, how do I do that? There's some very high level pieces that we could start to look at building into that that can help drive down the necessity of having a service desk fully staffed to that and be able to scale up and down to, you know, some more basic elements to that. So I think that's where AI can do that as well as meeting and note taking and, you know, research and, you know, decision analytics, you know, once we get to that point. So I think that there's a lot of opportunity just in the progression that we're seeing AI and being able to actually start to deliver in some of these key areas as well as I've seen, you know, night and day expansions and actual usability with on the clinical side for how they're going to be able to use it to, you know, help curb physician burnout that we've been talking about forever more process optimization, you know, real time data analytic and you know, a lot of different opportunities to that. So it's really exciting to be in technology right now. Also kind of scary on the cybersecurity side, but again that I think this is a great time for us to be able to leverage that and that'll challenge a lot of health systems moving forward with us seeing some of these headwinds on how we can better leverage.

A

That.

B

Technology to help us out kind of on curbing expenses of staffing.

A

Fantastic that, you know, it seems like a really great opportunity and something that I know a lot of organizations would welcome the technology to do more of that on the call desk especially and then how else they can leverage AI in a smart and meaningful way. Stephen, thank you so much for joining us on the podcast today. This has been such a fascinating and informative conversation and I look forward to connecting with you again soon.

B

Look forward to it. Thank you so much.