Celerium

Kathleen Wessel (Host): On average 1.8 hospitals experience a data breach every day. Beyond exposing patient information, the downstream effect of breaches, disrupts operations and creates a host of issues that hospitals and their executives need to address.

Welcome to AHA Associates Bringing Value, a podcast from the American Hospital Association. In this series of podcasts, we speak with AHA associate program business partners, check in on their efforts and learn how they support AHA hospital and health system members. I'm Kathleen Wessel, Vice President of Business Management and Operations at the AHA, and today I'm joined by Vince Crisler, Chief Strategy Officer for Celerium.

In this episode, we'll discuss organizational challenges related to data breaches as well as approaches that can help address data breach attacks from an enterprise risk management perspective. Vince, welcome to the podcast.

Vince Crisler: Thanks, Kathleen. Excited to be here.

Host: I know this is going to be an interesting conversation for us. First, we typically start off these podcasts by just sharing a little bit about yourself and your organization. Do you want to start off by sharing with our listeners?

Vince Crisler: Absolutely. Yeah. My name's Vince Crisler. I'm the Chief Strategy Officer for Celerium. I've been in IT and security for my entire career.

Started off as a, uh, communications officer in the Air Force, and then kind of my career took a turn when I had the chance to serve at the White House as the Chief Information Security Officer for their unclassified networks. Really cool opportunity to kind of see cybersecurity from the pinnacle. After the White House, I spent some time supporting Department of Homeland Security and their national cybersecurity programs there.

And the key part of that program was around, you know, nation state threats to critical infrastructure and the federal government, and, uh, a lot of really cool lessons learned there. After leaving Homeland Security, I founded a company, a product company that I thought represented a big gap in the market around the automation of security for, you know, widely distributed organizations, small and medium businesses.

I founded it in 2014. We grew pretty significantly, had a big impact on the defense industrial base, protecting the supply chain at the DOD and ultimately I came across Celerium and the founder of Celerium, Aubrey Chernik. And he and I had a, a handful of really great discussions. I mean, he really understands cybersecurity at the national level deeply, and it just became obvious to, to join forces.

And so Celerium acquired my company. I've been with Celerium for over two years now, and it's been a exciting journey to be able to grow and scale and build faster than we were before. And we're expanding into lots of different areas, doing state, local, county government work. We're doing a lot of work in healthcare now.

Just a lot of really, really challenging needs in cybersecurity for innovative solutions, and that's what we're working on.

Host: Your background is fascinating. We could probably, you know, spend a dozen podcasts just on that alone, and congratulations on the success that you've achieved through the various ventures.

That's amazing. Diving into the meat of the, the discussion, you know, hospitals and clinics face data breaches at alarming rate, as I mentioned, uh, nearly 1.8 incidents happening daily. Historically, this has been delegated to the IT department, Directors of IT, the CISOs, but help establish the case for why hospital business and clinical executives should be involved in data breach defense.

Vince Crisler: It's a great question, and I think probably one of the most important ones we're going to talk about today. You know, I think it's important for leaders to, to delegate and have people that they trust beneath them.

Host: Mm-hmm.

Vince Crisler: I think in the IT and security space, it's done not just because it's good leadership, but also because people are afraid they don't understand the technology. The beeps and the squeaks and all of the terms. Especially in healthcare, I think where people are so focused on, you know, patient outcomes, health and safety, let's just leave the technology to the technologists.

Host: Right

Vince Crisler: That's one of the biggest mistakes that's being made in healthcare today though, because these executives own the risk, regardless of what they think about the risk, they own it. It's their responsibility. And you know, we haven't seen things get better in healthcare on the cybersecurity side. And I think mostly because this separation between the physical world of healthcare, you know, interacting with patients and that vast separation between that and technology.

There's nobody in a better position in healthcare to understand the second and third order effects of IT systems having issues than the healthcare executives. So if they're not in those discussions, we just have a big impedance mismatch between these executives and the IT folks. And kind of the final thing I'll add in here is, you know, while healthcare executives may not feel qualified to interact with the IT world, they are exceptional at managing risk.

They do it every day in a high-paced environment with lots of stress. IT risk is the same thing. You have systems that have an effect on the real-world, on your business processes. You just need to encapsulate your thinking about risk in the IT world and have it touch what you understand in the physical world. And I think things will change and evolve for the better.

Host: Makes perfect sense. I, I actually love the framing that you, you've added there. If we move beyond the data breach prevention, which, which is hard because that is significant. Should hospitals have early awareness of potential data breach activity?

Vince Crisler: Yes.

Host: Short answer.

Vince Crisler: Early awareness is everything. I think if you look there are tens or hundreds of reports out there about data breach activity. I think what's shocking to me, and it pretty much holds is, you know, most of these data breaches, it takes companies six months to discover a data breach has occurred.

Then probably another two to three months to contain it. If you have any understanding of the technical world, that's ludicrous. If an attacker has six months in your network, that is an eternity. They can map out every bit of information you're processing. They can understand the value of the data. They can extract data so slowly that no matter how good your systems are, you may not detect it and even worse, you know, they can start to spread out into your partners and suppliers and vendors.

It's gut wrenching and horrible to have a breach as a healthcare company, but when you find out you are the source of the breach of another 20 or 30 companies and it's on your shoulders, that's even worse. And so understanding that early awareness is key and just deploying kind of the standard systems because that's what's in the best practices, thinking that that's going to get you early awareness is not true. We have to be more creative and that's one of the things we're really passionate about here at Celerium is how do we get those early indicators faster? What are the smaller things we can focus on to figure this out sooner than later?

Host: Great advice. You mentioned standard, and if we think about the standard IT systems or, or what a lay person, a non-IT, non-technical person would think of, what are some of the other types of applications and systems that can be affected in hospitals and clinics?

Vince Crisler: Everything we do in healthcare relies on digital systems today and therefore is at-risk. You know, everything from the basic scheduling and phone systems. The increased use of the dig digitization of patient electronic health records, how we track patient history and outcomes, down to MRI machines and more. Everything is connected and unfortunately, a lot of these systems have also been around for a while and can't be updated.

So we have, you know, digital systems on our networks that haven't been updated in 10 years and they have, you know, glaring vulnerabilities, but they're connected to the same network as everything else. You know, one example I like to run into here is, you know, if a printer goes down, is that a big deal? I think most people would say, well, I can just use another printer.

You know, images of office space and kind of going to town against a printer with a bat come to mind here. But, uh, what if that printer was actually the wristband printer for your facility?

Host: Yeah.

Vince Crisler: What if it's not just not printing? What if it's mixing up information? What if it mistypes a blood type? What if it reverses a number and you pull up the wrong patient's records when you scan that wristband?

These are the things that I think when you go through your day-to-day life as a healthcare professional and the physical things you rely on, tracing that back to the digital systems, get us a better view of how big this risk can be.

Host: During a data breach, you've referenced kind of the information can be mapped rapidly, uh, it can be stolen rapidly. So, IT team might need to isolate different systems. Hey, you know, how can the business and clinical leaders understand these developments and kind of wrap their brains around what is happening there and what needs to happen to mitigate?

Vince Crisler: I think it's kind of simple, but it's very, very complex. The business executives just need to understand how they rely on IT systems and how they would react if any individual system or group of systems go down.

How do you continue business? You know, this is in the world of business continuity. How do you track and validate records to make sure that they're correct? How do you pull up hisroeical information? You know, there are lots of parts and pieces here where if IT discovers a breach, the response may need, we need to turn these systems down to stop the spreading of that breach.

And so then the business executives need to take that handoff from a continuity standpoint and say, okay, we need to transition to A, B, or C and a great way to take care of this. And I think you hear this recommended a lot, and I think it's thrown away just because it kind of feels superficial. But tabletop exercises are huge, and tabletop exercises don't need to be overdone.

I've sat in the room with, you know, Fortune 100 company executives, with board members, and, you know, gone through tabletop exercises as simple as like, here are five questions I want to ask you to contemplate. So we have an issue. This system goes down. What do you all do? And somebody's like, well, we do this.

And they're like, well, we can't do that because of this. And so, you know, even sitting around the lunch table, you know, once a month and asking key questions about how you would respond if certain things happened in the digital world and their impact on your physical world, that can be a game-changer for healthcare organizations.

Host: I feel tabletop in this scenario specifically really can help wrap your brain around what is happening and the considerations that you need to make. Great example. Unfortunately, this is our last question because I, I have a million other's. But given the business risks and consequences associated with data breaches, what is the role of the executive during an actual data breach attack? Who should be involved? When, kind of, can you characterize that for us?

Vince Crisler: As a, as a healthcare executive, you should know the answer to this already, but my guess is you don't, or a lot of you don't. In the technical world, this kind of gets defined in an incident response plan, and it's your responsibility as an executive to understand that incident response plan.

When IT has an alarm go off, they investigate it in some form or fashion. At some point they say, Hey, this is either a false positive or this is actually something legitimate. And when they start to feel like it's more legitimate; they start to increasingly elevate responsibility. And so really understanding how your job interacts with that incident response plan is key.

And this should be all integrated into your contingency planning. And I know every healthcare executive out here listening to this is probably saying, yeah, in all of my free time, right? In healthcare, I think executives are probably some of the hardest working folks in any industry. Just the amount of work, the amount of compassion and caring and the toll it takes on people is really tough.

But this contingency planning is part of your job. There's some great information on the HHS website on contingency planning that executives should be familiar with. If you haven't gone through that information, dig it up. Continuity planning, recovery planning, disaster planning. This falls on your shoulders as a healthcare executive.

If you're not paying attention to these things, you're being negligent. I'm sorry. It's something you've got to do, you've gotta find a way to do it. You know, whether it's a fire that happens in your server closet or your data center, or a hack by nation state actor, the impact looks and feels the same. So you have to start understanding the digital systems you're relying on, how those impact your physical world, and how you as an organization will respond given a multitude of scenarios to continue to focus on patient health and safety, which includes the digital world.

Host: Thank you. That overview and those examples were perfect. Again, I have at least a dozen other questions, but I know our time is limited.

But I really want to thank you, Vince, for joining me on the podcast today and sharing your takeaways with members. I think this really helps illustrate the importance once again, I know this is something the AHA has been talking about for some time with our cybersecurity and risk team, but really hearing kind of your experiences really brings us to light, so I appreciate that.

Vince Crisler: Thank you. And as you can tell, this is an area I'm very passionate about and I'm super excited to be working with AHA and kind of everything you're working on, it's really important mission. Probably one of the most important missions is taking care of people.

Host: Yeah. Critical element and it will impact everyone. So we're all in it. Thank you so much. For our listeners, if you'd like to learn more about the AHA associate program or anything that you've learned on this podcast today, please visit us@sponsor.aha.org. This has been an AHA Associates Bringing Value Podcast, brought to you by the American Hospital Association.

Thanks for listening.