B (2:51)

Awesome. Awesome. I love hearing those career journeys and I'd love to kind of, you know, with the next question, lean into that and talk about your time at Health isac. So since you joined and started Health isac, you built the threat operations center from the ground up. So what are some of the unique challenges that you've seen healthcare organizations face? And how do they compare to the other industries that you've worked on? And kind of, as a, you know, second question added on to that, what does it look like moving from traditional disaster recovery to cyber recovery models meant for healthcare?

A (3:20)

Yeah, well, good stuff there. And if I can, can we talk about what an ISAC is to start off?

B (3:27)

Yeah, absolutely. Let's do that. I think our listeners will love it.

A (3:29)

So the signs being the worst acronym ever, it stands for Information Sharing and Analysis Center. And it was a concept that started in the mid-1990s after a federal study basically found that much of the critical infrastructure was owned and operated by the private sector. And I'm just cutting for the chase. Basically, the idea was the government wanted to ensure that they encouraged the private sector to work with each other, share with each other, knowing what the threat landscape was starting to look like online at that time, and help protect the critical infrastructure. So today, when we roll ahead 25, 30 years later, now there's at least one ISAC for every critical infrastructure. And as my boss Denise Anderson says, if you've seen one isac, then you've seen one isac. We are all very different from each other, but at the core, we all all about information sharing and helping each other stay secure and stay resilient. And I bring that up because, you know, one of the things that makes Health Istack what we are today is, as you alluded to, we built down our own threat operations center. We built our own threat intelligence capability. And why do we do that? Well, one of the needs of the sector is we have several large multinational corporations that are Members, they have very robust information security teams, including very mature threat intelligence teams. And then we have an awful lot of smaller mid sized companies as well that that might have an infosec team, maybe not, but they certainly don't have a well established mature threat intelligence capability. And so that was what we wanted to be able to provide. So in addition to the fostering the member to member sharing that's happening today, we wanted to also ensure that we have the ability to provide original threat intelligence to those that need it in the sector. So that was what it was all about. And really it was a culmination of the years that I spent at Citi and Bank of America and bringing the best of what I learned in creating and running those organizations and what I knew from the financial services ISAC at the time, being a very active member there and bringing all of the best of all worlds there to help ISAC in trying to create that capability here.

B (5:45)

And so you mentioned that I don't want to misquote, but you said something along the lines of if you've seen one isac, then you've seen one isac, because they can all be so different. So based on your experience working within the financial Services ISAC and within Health isac, what are kind of the differences that you see there versus some of the differences amongst the other ISAC organizations?

A (6:05)

The differences between the ISACs really come down to fundamental change, differences in the model and some of the philosophies and info sharing mechanisms that we have and that we rely on. I'll tell you, like for example, at FS ISAC and Health isac, our members can share information, sensitive information with each other. We anonymize it, we provide it out to the rest of the membership. Financial services did the same thing, does the same thing. Most of the community, if we get intelligence like that, we don't care who it came from. We know it came from another member, we know it's part of the network. We can take that information and we can use it internally to help better protect our own networks. There are other ISACs that want the attribution, they want to know exactly where it came from. And, and so that, you know, again, just changes the sharing dynamic. I'll also say that one of the things that excited me when I came to help ISAC was just the level of collaboration, the spirit of wanting to be able to help each other out. As good as info sharing is in the financial services sector, I think it's even better in healthcare because of that level of collaboration. The Mission that, that many of these people work for health care delivery organizations that are involved in healthcare. There's a much different motivation and orientation for people like that and these kinds of organizations. And I think it just carries over to the technical teams that are running threat operations, for example. They want to share and they want to help each other out.

B (7:31)

All right. I think that's really valuable perspective and mission for an organization. And I kind of want to return to a question too about what has that shift looked like moving from traditional disaster recovery to cyber recovery models? And what is that? What does that mean for healthcare in particular?

A (7:46)

Yeah, I think, I know we're going to probably talk about it a little bit later too, but I think, you know, some of the overall philosophy changes over the last, let's say even 10, 15 years, there's been sort of the move toward resilience as opposed to just having a protection mindset and where, you know, 10, 15 years ago the networks were more defined, not as fuzzy as they are today. They weren't necessarily all the cloud based, fast services that we have and tons of employees with a BYOD and running devices inside the network and it was easier to kind of protect the perimeter. And whereas today we've got certain very much different mindset. So the idea there being that we can't protect it all, we've got to be better about detection, recovery and so sort of a floating resilience out there. And I think that carries over sort of that traditional disaster recovery model and what the issues are on the cyber security and cyber recovery side as well, where we've got to be really diligent in terms of detecting the anomalies, the incidents and being able to rapidly recover.

B (8:50)

Right? Absolutely. Absolutely.

A (8:51)

Okay, perfect.

B (8:52)

So I wanted to kind of zoom out and talk about, you know, a big topic within healthcare right now. And so in December of last year, HHS and for our listeners who aren't in the U.S. hHS stands health and Human Services. And so HHS issued a notice of proposed rulemaking, some people are calling it HIPAA 2.0, which contain proposed changes like recovering critical applications within 72 hours and tracking sensitive data on an ongoing and regular basis. Do you think this will go ahead as proposed? Do you think that the industry is ready for this kind of, you know, rulemaking? What's your perspective on that?

A (9:27)

On that one? I. So I'd say the short answer is no in terms of what I mean by that. Is that going to go anywhere this year, in the next three years? I don't think so. Given the fact that the current administration is very anti regulation and trying to eliminate regulations where they can, I really don't think that anything like this has got any serious traction in current administration. But I'd say, like even that said, more importantly, is the industry ready and thinking about some of the dynamics that were happening before President Trump came in office in January, what was happening in the previous administration, the work here with HIPAA2O, as you called it, There was a lot of other conversations happening at the time about trying to come up with sort of even minimum cybersecurity standards across health care in the US And a lot of serious conversations about that. In fact, In January of 2024, a joint public private partnership led to HHS releasing a set of releasing a set of cybersecurity standards called the Cyber performance goals, or CPGs. And in that document, you'll see sort of 10 baseline requirements, or baseline suggestions, I think is the word, and then a set of enhanced recommendations as well. And so you can almost think of those that I wouldn't. They're certainly not called requirements, but they are called suggestions. And could that have led to them becoming required baseline security requirements? I mean, sure. The challenge is, is the resources, and maybe we'll have a chance to dive into this a little further. I think the lack of resources, lack of money, lack of appropriate talent and cybersecurity is one of the biggest challenges that we have in healthcare. And there's a couple of reasons for that we can go into too, but not have, you know, you can mandate something, but if we don't have the money to implement that, if we don't have the people to implement all that, it's not going to get done. So I think those standards are good ideas, but we also need some help on the resources if we're seriously going to take that and try to implement them. When you think about what hospitals look like across the country, especially small rural hospitals that are struggling to survive economically just in general, and if we're going to throw more requirements out them and mandate cybersecurity requirements, for example, we can't do it without money.

B (11:53)

Absolutely. Absolutely. We actually had a really interesting episode with Nicole Tisdale back in January all about cyber policy. And something that really hit home, I think, from that episode was she said that organizations crafting policy really oftentimes are coming from a big city perspective and don't think about how that impacts organizations operating with smaller budgets, you know, fewer resources out in more typically rural environments. And so from a policy perspective, you have to Think kind of broader and how that's going to impact organizations in various different locales. So, you know, I know that resourcing and headcount is definitely a challenge for healthcare and that's something we have to keep in mind with policies like this.

A (12:35)

Yeah, Jeff. Yep. Yeah.

B (12:36)

All right, so let's take a little bit of break, a little bit of a break from the scheduled programming. And I have a more personal, you know, outside of work kind of question for you. It's slightly related to your day job though. So do you have any hobbies or skills outside of security that oddly help you be better at your job?

A (12:52)

Yeah, it's a fun question, I'd say. One of the things that I do really to try to keep healthy in so many ways is just stay active every day. And so my go to for that is bike riding. I do road biking a couple of days a week and then I have a trail bike that I do. So totally two very different kinds of rides, but a lot of fun, both of them. So it helps me from a health standpoint, but also from a mental health standpoint. And it's good alone aerial time, for example. I can think through some things and I'll admit it, I'm thinking about work a lot of time and so it gives me a chance to kind of play some different scenarios through my head while I'm paying attention to traffic and also just think through some things and get some good quality alone thinking time. So I think it makes me a better person for that.

B (13:43)

Yeah, absolutely. Getting away from the keyboard definitely helps clear your head and help you think about things from a different perspective. So I totally respect it. Awesome. So jumping back into the conversation at hand, I kind of want to address the human factor in cybersecurity. As many of us know, humans are the biggest vulnerability within an organization and healthcare organizations are definitely not immune to that sentiment.

A (14:03)

So what are some of the most.

B (14:04)

Successful strategies for getting non technical healthcare workers on board with security initiatives?

A (14:09)

Yeah, I think on that one, to me, sort of, you know, you're spot on. It's, you know, at the end of the day, it is all about the people. Nothing gets done anywhere without the people, despite all the AI that we have floating around today. So it comes down to the people. And I think like in a hospital organization, for example, you've got to make security sort of an embedded part of the culture. Security can't operate for security sake. We have a hospital we're running, for example. It can't be all about security. And we need the people to be a part of that solution. Because literally the people are the weakest link, as you said, and everybody is. It will ultimately become a part of that solution. So we need to build that culture where, you know, nurses, doctors, administrators feel like they're all part of that solution. They're all part of that team. And firewall, we can call it that. And we need buy in from every person in the organization that can feel comfortable if they need to escalate something, if they see something that they don't feel sounds right, they need to know where to report that to. They need to know that they can report it without any kind of retaliation, for example. And then the other part that I would say is, you know, we need to do a better job on training in general. It's certainly still a strong part of any kind of robust information security program. And we've got, and it's more than just that, annual compliance training. I've seen some really good compliance training. I've seen some bad ones also. But we need to do more than just that. We need to do training that's continuous, and it's also relevant to the person's role in the organization and make them feel like they're a part of that solution. That's how I would address that.

B (15:44)

Right. I think that element of personalization is a really, really compelling way to get people on board with these different security initiatives versus making them feel like they're, you know, walking on eggshells or, you know, scared of this kind of issue. So that's great advice. And so another question I have for you is, based on your conversations that you've been having with security teams in your network, how are healthcare organizations embracing the concept of a minimum viable hospital? Are they using this model to prepare to recover and maintain operations when a cyber attack occurs? Is this kind of a conversation that you've been having with people in your network?

A (16:17)

Yeah, it's definitely a pretty current conversation and getting a lot of attention. And, you know, the whole idea here, right. Is that where you want to ensure that critical patient care and other hospital functions can continue to operate during a cyber attack. It's definitely gaining attraction, but I'd say the adoption of it really is kind of all over the place. And in my conversations with the various hospital CISOs, I'd say, you know, probably the more mature large urban healthcare centers that we've talked about before are some of the ones that. That are embracing it. And. And they've got the ability to even include that as part of their robust Business continuity, disaster recovery planning. You know, they've got teams that, that's all they do and so they have the ability to focus on that. I think the challenge that we have not shockingly is the smaller rural hospitals we talked about the financial constraints, security, budgets lacking and whatnot. Do they even have the time, the ability to get into this, into this world? So I think ultimately what I would say is, you know, in my conversations, I think 30, 35%, about a third of the, of the healthcare companies that I'm talking to are exploring or implementing MBH type principles. But again, it's kind of all over the place. Right, right.

B (17:33)

Definitely understand how that can vary a lot from organization to organization. All right, well, the last question I have for you. So are you feeling more optimistic or pessimistic about the future of cybersecurity and healthcare and what makes you feel that way?

A (17:45)

Wow. So I'd say I'm normally an optimistic sort of person, maybe a little cynical and jaded from some of the experiences that I've had. The only, I'll say negative part that I, that I'll have is that I feel like the threats just keep getting worse and it's tougher to keep up to date on them and we have bigger and bigger challenges every year. But I'm super optimistic though in terms of where we're going, where the industry is heading. I look at just for example, in the world of artificial intelligence and AI. I'm very excited about the possibilities there. It's so cool, in fact, seeing the medical, the health applications of AI that are coming out today in terms of better healthcare planning, better diagnostics, better medical device technology and more customization for the patient. It's just really super exciting to see what, what's coming. And of course with all those promises now we also see the bad guys are leveraging AI as well. So kind of like where I was going before with, I think the challenge is it's going to be harder to protect the networks because of the bad guys leveraging AI as well. But all that said, I feel pretty optimistic about it. Security teams leveraging AI as well as some really neat applications that we're even using in the cybersecurity space too, that have got a lot of promise. It's going to make our jobs better and allow us to do more. Right, right.

B (19:08)

I know things like generative AI can be a double edged sword, but I still love that you're going through it with an optimistic view. And I think organizations like Health ISAC are helping make sure positive outcomes, you know, are a result for these different organizations. So keep doing amazing work. Thank you so much for the conversation. It's been really great, Errol, for organizations listening in in healthcare who may not already be a part of health isac, how can they get involved in this community and where can they find you?

A (19:35)

Yeah. So again, thanks for the opportunity to be here and talk to your audience. If, if you want to find out more information about Health ISAC, it's just health-isac.org and you can go to our website and check it out. And the other thing I would just remind everybody, Caleb, as you and I were talking before the podcast today, you know every critical infrastructure has niceac. So if you're not in healthcare health, I would encourage you to seek out your respective ISAC in your industry. If you are a good place to go to find an ISAC or other information sharing organization, there's the National Council of ISACs. They have a list of every single one of the other ISACs as well. But I say get involved. I mean, I truly believe that you get so much more out of it than what you put into it. And it's a great learning environment for you personally, but it's also a great way for you to help protect your own company.

B (20:26)

Absolutely. Absolutely. Great note to end this conversation on again, Errol, thank you. Thank you for the work that you've done. Thank you for this conversation and until.

A (20:34)

Next time, thanks, Gael. It.