
Loading summary
A
Foreign welcome to Risk Never Sleeps where we meet and get to know the people delivering patient care and protecting patient safety. I'm your host, Ed Gaudet. Welcome to the Risk Never Sleeps podcast in which we talk to the folks that are on the front lines protecting patient safety and delivering patient care. And today I am pleased to be joined by a special guest, Dave Waska, who is the Chief Information Security Officer at Senseinet. Welcome, Dave.
B
Thank you so much, Ed. I'm really excited about doing this today.
A
Excellent. So great to have you on the program. Let's start off with your current role and a little bit about what you do at Sense and a little bit about your. Your current company.
B
Yeah, absolutely. So a company I think you know a little bit about. So I wear a couple of hats. I'm responsible for keeping Sense secure, obviously. I also lead a great team which develops risk assessments in the CinciNet risk ops platform to help health systems with third party and enterprise risk management.
A
Excellent. And you've been here four months now?
B
Four months in just a few days.
A
And you've already added some new elements to the platform through your curation efforts. One of those is the NIST AI RMF assessment type that's in enterprise risk, which is pretty exciting. And you've got a couple of other ones coming soon as well.
B
I do, I do. I'm really excited about the new healthcare cybersecurity performance goals that CISA put out a little earlier this year. So we've turned that into a risk assessment that will really help as a template for healthcare systems to benchmark. Where are they today and where are their opportunities to improve their cybersecurity programs?
A
Excellent. And I think by the time this, AERS will be already into the benchmark program as well.
B
Yeah.
A
And so customers will be able to utilize that new assessment type that you're building.
B
Oh, I'm really excited about that. It's a really different feel. You know, coming from a provider space, I've always been very focused on how do we protect our patients, how do we keep our health system secure. But in the software company, it's a lot different. Here. It's also about the product that we're selling and the services that we provide. So, you know, doing podcasts like this help marketing and sales, where I have contacts in health care and just being able to bring my experience in health care, you know, to the things that we do.
A
Yeah, it's quite different. We'll unpack that in a bit. So how did you get into health care? You've got a pretty long experienced career in health care. So help our listeners understand how that all started out.
B
Oh yeah. So I've always had a real passion for learning and science and technology and you know, really I actually thought I was going to med school at one time. I actually started academia. I have a doctorate in chemistry where I've done a lot of research and have multiple publications. I did a multidisciplinary degree in inorganic and physical chemistry, which included work in the laboratory as well as theoretical work doing molecular simulations of chemical reactions. So that gave me a lot of practical experience running complex Unix systems. I ended up changing careers actually, and strangely enough worked for DuPont, a chemical company of all things, managing the enterprise Unix environment. I've always had this idea that healthcare is really important and like I said, I wanted to go to med school. So I was lucky enough to join a long term care facility in New York as a systems manager. And that's kind of where I started my career over 20 years ago in health care. But over time I've also been a CIO of a health system. And before joining Sensenet, I was the assistant vice president of information security at the largest health system in New York.
A
And that's Northwell. And they're also a customer of Sense.
B
And that's right, they are. I was really thrilled to bring in Sensenet to Northwell Health. And now I'm on the other side of it, having calls with my old colleagues.
A
That's pretty cool. I also believe you know a little bit about quantum mechanics too. I told you we were going to go there. I did warn you.
B
You did, you did. I had to brush the dust off some of my old textbooks. I actually loved studying quantum mechanics and had an opportunity to teach it a couple of times. Quantum mechanics, it's a branch of physics that explains how very small particles are like electrons and photons behave. And understanding the math and the physics behind it was something that I enjoyed immensely back during my graduate, my graduate days. And now more recently. Just looking at all the things that are going on around quantum computing is just really fascinating.
A
So if you were at a neighborhood party and someone asked you, Dave, what the hell is quantum mechanics? How would you describe it to someone like myself, the uneducated? How would you describe it?
B
How would I describe it? Okay, so I think that, you know, generally folks know that classical computing is all about those ones and zeros, bits. Well, quantum computing is instead of bits, they use something called quantum bits or qubits. They have very unique properties based on quantum mechanics. Properties such as superposition and entanglement. I love those words, and I'll give you my analogies in a moment. But at the end of the day, superposition and entanglement are what really allows a quantum computer to process information in ways that classical computers just can't do. And it can do these kinds of calculations so much faster as well.
A
Yeah. So in effect, simultaneously.
B
Yeah, yeah. So superposition is. Okay. Think of superposition like this, okay? In a regular computer, you have bits. It's like a light switch. They're on or it's off. You know, ones or zeros. In quantum computing, qubits, they're kind of like a dimmer switch. So they could be on, they're off, they're somewhere in the middle. So essentially, you can represent on and off or 0 and 1 at the same time simultaneously. And the ability to be in multiple states at the same time, that's called superposition. It allows for that. The processing of simultaneous possibilities in calculations.
A
Reminds me of my college days.
B
I'm sorry.
A
It reminds me of my college days being in multiple states at the same time. All right, so. But seriously, there's obviously constraints in terms of how things are processed or computing. Obviously, within the. The classical context, this notion of logic gates the andor not. Right. Whereas quantum does it differently. So they process those calculations in very, very unique ways. And so talk about that and talk about the ability to paralyze that computation in a way that, you know, again, is non traditional. And because I want to get to. What I want to do is get to the connection of why should we care? And maybe we don't care so much today, but like everything else, tomorrow could be just around the corner for this. And as cybersecurity leaders, we may at least want to have some indication of what it is and how to get our arms around it quickly. So let's unpack this a bit.
B
Sure. So there's this notion of quantum entanglement. That's a fancy term, but what it really means is that imagine you have two qubits, okay? So those are those bits that I was talking about. Imagine they're like a paradise, okay? But these dice are linked in such a way that if you roll one, the other one always shows related value. So no matter how far apart they are, they are aware of each other's state or value. So this connection is called entanglement. Okay? It means that a state in one qubit instantly affects the state of another one. And that enables this much faster and more complex calculations. And where it really will make a difference are in the whole field around cryptography, obviously. You know, that's one of the most talked about applications in quantum computing today, where you could have that possibility or potential of breaking widely used encryption techniques or methods like RSA or ecc, which rely on factoring very large numbers, solving discrete logarithm problems. Something that classic computers don't do well and they take a very long time. So, I mean, we've all seen those charts like, well, if you have a four character password, your password can be cracked in, you know, four minutes, three minutes, you know, 30 seconds, whatever. With quantum algorithms, it's just exponential, it can crack those codes incredibly fast. Another field is around artificial intelligence even. You know, it can enhance machine learning algorithms, making it faster and more efficient. And there's one field that's kind of near and dear to my heart really, and that revolves around using quantum computers to simulate molecular interactions at the atomic level.
A
For drug discovery, I bet.
B
Yeah, drug discovery, material science. I mean, it really has potential to revolutionize these industries that depend on chemical reactions and molecular modeling.
A
Excellent, excellent. And so, you know, as you go back to the encryption problem, what are some of the things that CISOs and others can start to think about in a world where we have quantum computers readily available? And the risk of losing the efficacy of the encryption we currently have is there is real.
B
Yeah. So thankfully we're still a little ways off. I mean, you know, companies like Google and IBM, you know, they're making significant progress and they're really at the forefront of quantum computing. But there's still a lot, there's still a long way to go, frankly, when it comes to cryptography. I think, you know, where CISOs are probably looking to go, they need to think about what that next level is, you know, passwordless, you know, authentication, risk based authentication, where it's less about the password that could be hacked, but using other methodologies that are quite at risk.
A
Well, it also probably introduces new post quantum cryptographic systems like multivariant cryptography and other approaches.
B
No, that's very true. Boy, it's been a while since I've taken multivariate calculus, but yeah, I mean, at the end of the day, you know, cryptography, you know, revolves around mathematical algorithms. Okay. And you know, mathematicians are phenomenal at coming up with different ways of creating cryptographic keys and using quantum computing to come up with new ways. New algorithms that are harder and harder to crack are definitely going to be, you know, something that they should be looking at.
A
Yeah. Okay, good. And then Obviously, as we get closer to this, what's your prediction in terms of timing? Do you think this is in the next five years? Do you think it's less? Do you think it's longer?
B
I still think that understanding how you expand the number of qubits that are being used is something that it's a challenge that they need to overcome first. Once we hit that, once we're able to get over that barrier, I think things will get progressively more and more we'll be able to dug with quantum computers. I think it's going to be a while, frankly. I think that there are just some things that, you know, we need to better understand to figure out. I'm not a betting man, so, you know, I'm not going to say five years, 10 years. I'll use a quantum computer to give you some probabilities though. Maybe I'll answer.
A
Yeah, well, there's obviously the compute, the physical considerations around qubit stability and the environment that one has to manage, which is a much cooler environment to keep those things stable. Right. So we're obviously not even prepared for that. We've seen how much artificial intelligence has sort of stretched our ability to keep up with the compute demand, if you will, for large language models and the such. So I'm a little more optimistic. I think five years on the outset will start to be using quantum for those particular areas that we talked about earlier, which would be exciting.
B
It'll be amazing. I've been following it more and more, especially since my son just graduated with his degree in electrical computer engineering. So he and I talk about those kinds of things. He actually understands it better than I do.
A
Oh, maybe we should add him on.
B
Maybe.
A
I'm just kidding. All right, Dave, so you talked about the CPGs. What are some of the other priorities you have over the next 12 months?
B
I'm mostly focusing on using my background and experience working in the healthcare to help drive better risk outcomes. I think arming security teams with the information they need to drive down risk is really paramount. I think I have a lot of ideas and maybe you like some of them that, you know, we can expand risk ops to add more features and functionality to really bring us to the next level.
A
I think some of the things you've been working on, I know you shared your connection with business continuity, business resilience and disaster recovery. Anything you want to share, Give people sort of an early, early look at some of the ideas you're thinking about.
B
Oh, sure. I think kind of a natural progression. If you think about third party Risk management, which is one of the things that risk apps does very well, obviously having that ecosystem of assets within your catalog and being able to not just do risk assessments from a third party risk, but also being able to look at it from a disaster recovery perspective, from a business continuity perspective. Even doing business impact analysis as part of the onboarding of a new technology solution, I think it's really important and that'll help you as an organization understand where that solution should be and what's the criticality and what are the dependencies between that solution and other systems that where integration exists. I think that there's some very logical steps that make sense. Being able to have incident response plans associated with technology solutions and being able to run exercises and having a true understanding of all the things that go into your doctor plan or IR plan connected to those assets. I think that there's a true benefit to having that full view of everything that's going on in your catalog.
A
It's certainly, I think today more than ever people are more aware of it's not a matter of if, it's a matter of when. So therefore I can only do so much given my ability to identify, protect and detect. And so if an event is going to occur, then I, I better have the ability to respond and recover quickly within the context of running the business and the impact that it can have if we are down longer than we should be down. So it's good to see that focus shift. And also I think those worlds are coming together. The cybersecurity worlds, if you will. The GRC worlds.
B
Yes.
A
And the business continuity and disaster recovery worlds. Whereas for many years they were separate silos within an organization that, you know, maybe met, but not as frequently as they should and certainly didn't draw the connections as tightly as certainly we know they need to be drawn. That's exciting. And what are some of the things that keep you up at night as a CISO of a smaller tech company? Quite a transition from your previous employer.
B
Yeah, my budget is a lot smaller. You know, it's just the challenges. A smaller company definitely has, you know, different and unique challenges and you know, a large complex health system, obviously, but it also isn't as regulated obviously as well. That offers some advantages. Decisions we make won't impact patient safety. I love that I'm able to really kind of think about security in the context of we need a secure solution, we need a secure environment, but patient safety is a debt risk at risk. So that's a big difference in kind of the way I look at it.
A
In the day to day operations, but. Yeah, but conversely, you have the ability to make decisions that can affect patient safety on a more global level because you can enable more of those health systems with the tools and the processes and procedures to do a better job.
B
Protecting patient safety, arming security teams with the information they need is really, you know, what it's all about.
A
Yeah. All right, great. You know, if you're outside of this job, doing something that you love and you're most passionate of, what would it be? What would it be?
B
I love spending time with my family. I make no. I make no apologies for getting away as often as I can and spending time with my kids and my extended family as well. I'm an avid golfer. I like to say I play golf, but I say it's more of, you know, I just go through the motions. I do enjoy it, though. I like it. I love music. I love. You know, a big hobby of mine is woodworking, actually. Right now I'm building oak end tables for my living room.
A
No. No kidding. Wow.
B
Yeah.
A
You use like. What do they call those? A dove groove or what are the connections that you dovetail groups? Dovetails.
B
Dovetail connections.
A
Yeah.
B
I don't. I'm not quite up to that level.
A
Okay.
B
But I do use other types of joints.
A
Okay. Interesting.
B
Glittering is definitely an interesting part.
A
What's the most complicated piece of woodworking that you've experienced or you've done on your own?
B
Probably making these end tables is probably the really most advanced. Yeah. There are drawers. There are some complex joinery in it. The legs are tapered. Oh, a lot of routing as well.
A
Nice.
B
That sounds like.
A
Sounds like you have a little barn there with some tools to play with.
B
Hamper, garage.
A
My father did that. He loved making things. We had our first daughter. He immediately, you know, made her bureaus and dressers and all this stuff. We still have them, you know, toy boxes. And he just loved making those things.
B
I grew up in a family, so my father's an architect, a corporate architect. So I grew up watching his buildings, you know, go up and interestedly enough, it looked. Not counting sense in it. The last three health systems that I worked with, every one of them had an office in one of my father's buildings.
A
Really?
B
Yeah. That's pretty cool. That is very cool. Yes. My mother's an interior designer, so she didn't design those buildings, but she's done some really phenomenal.
A
That's very cool. That's very cool.
B
She worked in Manhattan.
A
I did not know that.
B
Yeah.
A
Did Your dad know Frank Lloyd Wright?
B
I doubt that. I doubt that.
A
That's all I got on the architect side.
B
Yeah.
A
All right. If you could go back in time, what would you tell your 20 year old self?
B
Oh, boy. What would I tell my sister 23 year old self? I think I would say hang in there.
A
Hang in there. Okay.
B
Life throws curveballs, but as long as you have family that you count on, you know it'll work out.
A
Okay. All right. I would love to see you as a 20 year old kid.
B
So would I.
A
There's going to be a video floating around somewhere, right?
B
Yeah. In my 20s, I was finishing up my graduate work, working in laboratories and teaching and.
A
Pretty cool.
B
Yeah. Yep.
A
Okay. I know you're a really risky guy. What's the riskiest thing you've ever done?
B
Yeah. So after years of studying and research in chemistry, changing careers into healthcare, information technology with. Yeah, that's pretty riskiest thing I ever did.
A
So in chemistry, did you ever mix anything, any elements together that were combustible?
B
Yeah.
A
That's pretty risky. That's pretty risky, right?
B
It was controlled.
A
Oh, it was controlled. Okay. Okay. All right, Fair enough.
B
This saying that goes better living through chemistry. Better living.
A
All right. Hardest lesson in your career.
B
Hardest lesson. The hardest lesson I think, you know, is more around. It doesn't always go your way. Or does it go the way you thought it would?
A
Yeah.
B
And having that backup plan.
A
Yeah. And also having the ability to understand that when you're going through it. Right. To give you that piece, if you will. A little bit of a. A Zen moment.
B
Very true.
A
Yeah.
B
All right.
A
You mentioned music earlier. Sure. You're on a desert island. What are the top five records you'd bring with you?
B
Five records.
A
Okay. Because there's a turntable there on the island.
B
So I was going to say, do I like to have something that I could play it on?
A
You do? You do? Okay.
B
All right. All right. So I. I want a good turntable and really good.
A
Oh, it's a great turntable. Yeah.
B
All right.
A
So Macintosh system, it's all fully loaded. You're gonna have.
B
There we go. Okay.
A
We're gonna have a good time.
B
I'd start with Pink Floyd, Dark side of the Moon.
A
Very nice. Okay. Very nice.
B
Ely Dan. Either angel or Royal Skin.
A
Very good.
B
Both really good albums.
A
Yeah.
B
Led Zeppelin, Houses of the Holy.
A
Oh, wow. Look at you coming out of the woodwork with Will. Led Zeppelin, Houses of the Holy. I love classic Dire Maker. Very good song.
B
Yeah, yeah. Open the Hills Far Away. It's a great Album.
A
The Rain Song, I think is on that. Right?
B
What's what?
A
The Rain Song is on that, too, isn't it?
B
Yes, it is.
A
Yeah.
B
Yeah. That's a great song. Love the doors.
A
Love, love.
B
1967.
A
You love the Doors. I didn't, Dave. I didn't. How come I didn't know that about you?
B
You never asked about His Grateful Day.
A
But my first band. My first band was the Doors.
B
Was it really?
A
Yes. That's my true love. Yeah. That's my origin story that connected me into everything. Writing other bands, the Beats, the Beat Generation, which is a gateway into the Grateful Dead and. And other things. Yeah, but it was the Doors. It was Jim Morrison, actually. It was.
B
Oh, very cool. Yeah. So my brother, he's a doctor by day, but he's a musician by night. Oh, he's had a couple of bands for years and years. I still go back to those days when, you know, listening to him, coming home school and, you know, running at the piano with a new idea with something you wanted to try out or compose. And now I get to see him playing, you know, other venues.
A
That's really cool. Does he play Door? Does he cover Doors? The Doors.
B
Does he cover the Doors? No, he does a lot of yacht rock. He has a jazz band also, which is phenomenal.
A
Nice.
B
Yeah. Pretty musical family.
A
Nice. Very good. All right. All right. That's four albums. What do you got?
B
Four. I'll go a little bit more modern. How about the Eagles?
A
No, I'm just kidding. I like. Yeah, Eagles are great. Eagles. Eagles are coming to the Sphere. Why don't you go to the Sphere, David?
B
See the Eagles. I saw them in their farewell tour with the Dan Square Garden.
A
Nice. That's a good show.
B
That was a great show. Probably the best show I ever been to.
A
So. Fun fact about Steely Dan. There's a lot of fun facts about Steel Dan. You know where the name came from?
B
I do.
A
You know the movie? Just tell me the movie. You don't have to go through the. No, Barbarella. Barbarello. With Jane Fonda. Yeah. Yeah. There's a song. I think it's on Scam, Kid Charlemagne. Is that on Scam?
B
Yeah, Kid Charlemagne, absolutely.
A
Do you know what that song's about?
B
Oh, I did.
A
Augustus Owley Stanley. Right.
B
The.
A
Well, he was the audio engineer for the Grateful dad, but he also.
B
Yes, he was.
A
Produced a lot of psychedelics. He was the main producer of LSD back in the. The early 60s. And that fueled sort of the great American acid tests that Ken Key and Timothy Larry had put together. So it's all related. There's a believable relationship with music and writers and culture and artists and it all kind of comes together, if you dig. It's interesting those, those relationships. But Se Van. Great band. All right.
B
I've been going to their concerts as much as I could.
A
Okay. All right. What advice would you have to young professionals trying to break into healthcare and or cybersecurity?
B
I think it starts with figuring out which track you want. Okay. So there's obviously very highly technical security engineering and SecOps and so forth. That's what most people, students tend to lean towards. But there's also a whole other side of cybersecurity around risk management and governance and disaster recovery and security awareness and training. I mean, those are so critical. Most people tend to think of the sexier part of cybersecurity, which is really cool. And I really marvel at the people who do it. I've always gravitated more towards the risk management and governance side of it. I've always found it more interesting to me and it's just as important. So you know, when you're in school and you're taking classes, I think, you know, you want to take classes, obviously you want to understand, you know, computer technology, computer science. And more universities than ever are introducing cyber security curriculums. So I think that's fantastic thing because we just don't have enough people in cyber.
A
That's a good point. And I think this notion of the ability to critically think is so important. And I think oftentimes people that are coming out of school and looking at different opportunities get a little constrained by what they believe is required technically to do the job. Whereas the nice thing about things like risk management is you can have varying degrees of technical background and do well. You can come out of school with very little technical background and still be assuming you can critically think. Right?
B
Yeah, of course. You need to be good at problem solving.
A
You got to be good at problem solving. No question. Like that's a jacks to open. But the thing about risk management in general is it's so connected to the business and you get this opportunity to engage with the business and see much broader aspects, not only of business, but where technology and business intersect, the impact of technology on business positively and negatively. And then you can leverage that and that knowledge as you're building it over time, maybe to go into other areas of cybersecurity that maybe require more, more technical experience, more technical background. And so I always find it interesting that third party risk and Enterprise risk management and just general GRC provide a really nice entry point for people coming out of school that want to get into cyber, but, you know, may not have the technical background to go into the SoC, for example, to do pen testing or to do cryptography or whatever.
B
But you could get there. It's a great.
A
But you can get there.
B
Yeah, absolutely. I've always loved third party risk management. Risk management, security awareness and training. I kind of have this notion, if you will, that the human being is just as important as the technology. You know, you can have the least and greatest security technologies in place, but at the end of the day, you know, it's a human being that makes the most difference. Whether it's that person who spots a phishing email and then says, okay, you know, I see that, I'm going to report it, or a security team that exercised an incident response plan so that when something does happen, they know what to do and they're ready. Right. So I feel that the human part of it is just so critical. I had a really good boss who once said something to the effect of, you know, it's not just your security team, it's every employee in the organization that's part of the security team. So I think that's a really great point.
A
Yeah, I know, you're absolutely correct. And I think that gets lost sometimes when we're so focused on either the process or the technology. We sometimes miss the forest through the trees and. And again, that one of the hardest connection points often referred to, and I hate this, the weakest link. I hate that, by the way.
B
Yes.
A
I always look at it as the strongest opportunity. Right. The strongest opportunity is to enable your workforce, enable people to be your best ability to protect patient safety, patient care, data, etc. Right. But those connection points are so critical and they're so fragile in many ways. And oftentimes we get enamored with the technology or we get enamored with our process and we forget that without the right people and that attitude, which is much more open to transformation and change. Because if you're truly going to fix something, you have to change. You have to change something. And oftentimes it's that relationship with a really good tool or a really good process and terrible tool. And if you have a really good process and a bad tool, you're going to get bad outcomes regardless. And it's the people that have to understand that and work towards the end goal, which is change for the better in making sure that we have the right people, the right process and the right technology working together.
B
That's how that's done.
A
Yes, it really is. And it's so obvious. And we always have people process technology, but then people will say it. But actually, the hardest part is the application of those three things in a way that literally is driving better outcomes.
B
I totally agree. You know, you write a check, you could buy technology, okay? You know, you have people on your staff that can learn a product and can make it work, configure it properly, et cetera. But if you don't have good processes behind it, how do you react when, you know, you configure a SIM to report something based on a threshold of certain events? Okay. It has to go to the right people. They have to have the right playbooks and processes in place, and they need to practice it so that they're quick and they can respond and minimize the impact, you know, contain it and remediate it quickly. So it's so important to have all three.
A
It really is really great way to end the show. Thanks, Dave, for joining me today. This is Ed Gaudet from the Risk Never Sleeps podcast. And if you're on the front lines protecting patient safety and care delivery, remember to stay vigilant because Risk never sleeps. Thanks for listening to Risk Never Sleeps. For the show, notes, resources and more information and how to transform the protection of patient safety, Visit us@SenseInet.com that's C-E N S I N-E-T.com I'm your host, Ed Gaudet. And until next time, stay vigilant because Risk never Sleeps.
Episode #99: Quantum Computing and Healthcare Cybersecurity with David Woska, PhD, CISO at Censinet
Host: Ed Gaudet
Date: September 26, 2024
This episode delves into the intersection of quantum computing, healthcare cybersecurity, and risk management. Host Ed Gaudet welcomes David Woska, PhD, Chief Information Security Officer at Censinet, for an in-depth conversation about how quantum advancements could disrupt healthcare security, best practices for CISOs, and the evolving priorities for health tech risk leaders. The discussion mixes technical explanations, strategic insights, and personal reflections on leadership and risk in the digital healthcare landscape.
The conversation is both technical and conversational, balancing deep-dive explanations with humor ("It reminds me of my college days being in multiple states at the same time" – [06:38] Gaudet), personal anecdotes, and practical guidance. The episode is hopeful about advances in risk management and honest about the challenges of the coming quantum era. Above all, both Ed and David stress the importance of adaptability, critical thinking, teamwork, and the human factor in ensuring patient safety and robust healthcare cybersecurity.
Summary prepared for listeners who want a comprehensive understanding of the episode’s content without hearing the full audio.