John Riggi (Host): Hello, everyone and thanks for joining today. I'm John Riggi, your National Advisor for Cybersecurity and Risk at the American Hospital Association. Welcome to AHA Preferred Cybersecurity and Risk Providers Bringing Value, a podcast from the American Hospital Association. Today's topic is Cybersecurity and F1 Racing: Driving Success Through Teamwork, Precision, and Risk Management.

And I'm very, very pleased today to be joined by John Ehret. He's the Vice President of Ecosystem Risk Solutions at Mastercard Cybersecurity. Folks, Mastercard Cybersecurity, great firm. They're recognized as an American Hospital Association-preferred cybersecurity and risk service provider. And John will be really adding his perspective on this topic.

I know what you're thinking, how did we come up with cybersecurity and F1 racing? So, bear with me just a moment here and I'll give you my thoughts. So first of all, I'm a very, very big F1 racing fan. And as I would watch the F1 races on Sunday, I would see the Mastercard logo on the current winning McLaren F1 racing team, the two top drivers in places one and two. Again, McLaren leading the pack there. And I'm always amazed that the precision that these guys drive cars at these incredible speeds, Oscar Piastri, Lando Norris, just amazing.

So, I started to think about how so much attention is always focused on the driver in F1 racing, right? It's the driver who gets the trophy, the podium, the checkered flag. But then, I notice that these F1 drivers, whenever they take the stand, the podium, the winning drivers, the first thing they do is they thank the team, recognizing them for all their support from the pit crews to the designers of the car, the sponsors and so forth. And it made me think about F1 and cybersecurity. And when I was watching these winning drivers, again thanking their entire teams, I began to realize it's not just about the driver. It's about people, process, and technology—the three principles of cybersecurity as well.

And we think about an F1 racing car and the pit crew, the design of that car, the pit crew having the ability to change four tires in two seconds is it 2.2 or 2.3 seconds? Then, I think about the cybersecurity staff in a hospital, how quickly can they react to detecting a potential ransomware attack. It could mean the difference between a ransomware attack averted or a ransomware attack shutting down a hospital—2.2 or 2.3 seconds.

So, let me introduce John again. So, John Ehret, again, pleased to have him here from Mastercard Cybersecurity. John, can you share with our listeners a little bit about your professional journey and expertise and as well as how RiskRecon for Mastercard supports AHA members?

Jonathan Ehret, CISSP, CISA, CRISC: First of all, John, thanks for having me here. Really excited to be able to do this with you. So, my journey is a long one. I've been in the third party risk and cybersecurity space since 2004. I spent a lot of time working in great organizations like HSBC, Royal Bank of Scotland, and did a long stint in healthcare, which is really applicable to what we're talking about today, working for Blue Cross Blue Shield. And along the way, I managed to found a nonprofit related to third party risk, and came over to RiskRecon Mastercard after they were acquired, and had just built my career talking and focusing on third party risk and cybersecurity.

When we talk about Mastercard and the AHA, it's a fantastic partnership. And we're really here to help hospital systems of all sizes from your small rural hospitals to your large university hospital organizations, because they have very different needs. Your large hospitals are going to have the staff, but they're also going to have a lot of noise. They have potentially thousands of vendors that they're working with. And we help them with our RiskRecon product to try and make sense of that noise.

And the rural hospitals have a very different focus. Oftentimes, they're very small. They don't have the staff to keep tabs on everything that's going on. And a failure with one of those hospitals really ripples out in the entire community. I grew up in a very small town. We had one hospital. Everybody that needed anything had to go to that hospital for 20, 30 miles around and, you know, if there was ever an issue with that hospital, it was really devastating to the community.

So, being able to come back and help small hospitals like that is really something that's near dear to my heart, and something that Mastercard really focuses on. And you may wonder why is Mastercard in cybersecurity, that's a question we get many, many times. And really, if you think about it, it makes a lot of sense. Mastercard has this gigantic ecosystem that we want to protect. And if you look at how big that ecosystem is, it has fingers into every vertical imaginable. And healthcare is one of those. So, it's a next logical step for us to diversify from just cards and payments into actual cybersecurity, because we believe that protecting our ecosystem ends up in a rising tide, raises all ships sort of scenario, there's a direct application to healthcare with all the work that we do with hospitals.

Host: Yeah. Thanks for that, John, and drilling down on a couple of things you said. Those small hospitals, those community hospitals that so many of us depend on, when I speak to policymakers and legislators and so forth and, obviously, our cybersecurity professionals, we talk about the attacks on hospitals are not just an attack on a hospital, a system, or the technology. When attacks result, obviously, and the compromise of patient data, we're very concerned about that. But when ransomware attacks strike a hospital and disrupt and delay healthcare delivery, these aren't attacks just on the patients. These are attacks on the entire community, your local community like you grew up in, that depend on the availability of their nearest emergency department, their nearest hospital.

So, that's why we here at the AHA, and I always repeat attacks on hospitals, ransomware attacks on hospitals, threat to life crimes. And ultimately, these are crimes which really put in danger of the entire public health and the safety of the community that depends on that local hospital. And it just makes sense in my eyes that Mastercard deals with massive amounts of data, and being able to manage and secure that data for decades.

In fact, in healthcare, when we look to other sectors to emulate and aspire to, we always look at financial services and understand how their experience in technology might be applicable to healthcare cybersecurity. So, we congratulate Mastercard and RiskRecon for having the foresight to understand that your tools are capable of helping protect healthcare and then joining us in your offering there.

So, I opened up a little bit about F1 racing. I know when I first, mentioned this to a few folks is, "John, well, again, F1 racing and cyber. Again, people process and technology. So from your perspective, John, what do you see as the parallels between Formula One racing and healthcare cybersecurity? And can you share with our listeners what inspired you and us to collaborate on this analogy?

Jonathan Ehret, CISSP, CISA, CRISC: First of all, I think it's a fantastic analogy when you really break down things. Obviously, the McLaren partnership for us with Mastercard is a huge motivator. It brings different things to the forefront. But when you really sit down and look at Formula One, and I know listeners here are probably going to have watched Drive to Survive, they might have seen the F1 Movie, right? It's just amazing what these drivers do. And like you said before, it's not just the driver, it's the entire team.

And if you look at how you operate a car at 220 miles an hour, hard braking into a corner and then coming out and accelerating just as fast, there's a lot of risk involved in that, and there's a lot of quick decision-making, and that is an extreme parallel to hospitals, right? I have family members that are in the medical world, and the stuff that they have to deal with on a daily basis, the quick decisions to save a life. Like, in F1, you're trying to win a race. In healthcare, you're trying to save a life. That's a huge thing. And that split second decision-making, being able to do that sort of stuff is paramount. And at the end of the day, there's a lot of data involved, right? You look at someone in the hospital, you have all sorts of biometric readings and all the testing that we do. And F1 is very similar. I started doing some research on this. And an F1 car has about 300 sensors. And it captures a million different data points at any given point in time during a race. At the end of the season, I think that the number I saw was, for a single car, they capture about 12 terabytes of data.

Host: That's amazing.

Jonathan Ehret, CISSP, CISA, CRISC: All telemetry, right? And that parallels healthcare, right? If you're in the hospital, you're being monitored, you have all this stuff going on, you want to know exactly what's going on. If something changes, you need to be able to pivot and address that. And the F1 car is very similar, right? It's not just the guy driving the car because guys have been driving F1 cars since 1950.

Host: You can have the best driver, but a poor machine, right?

Jonathan Ehret, CISSP, CISA, CRISC: Right. And at the end of the day, like, guys have been driving those cars since 1950. But now, they're going 70 miles an hour faster. They're wider cars, they're quicker. Have you ever seen a steering wheel on an F1 car? There's so much data coming into that steering wheel. There's so many different options. It's crazy. So, these are real complex systems. It's not just the driver and with healthcare, it's not just the doctor, right? There's nurses, there's clinicians, there's IT and cybersecurity folks behind the scenes making sure that all that stuff is available to them to be able to do the things that they need to do. And like at the end of the day, it's a really good parallel in my mind.

Host: Yeah, totally agree, John. I mean, some of your comments, just like an F1, one wrong move one, hesitation can cost the team a race; and healthcare, the same. It can cost a patient their life without understanding, reacting quickly, no room for mistakes. The precision, the millimeters away from recovery or disaster are very, very similar. So in cybersecurity, again, delays in detection or response, it can have devastating consequences. In your opinion, what can healthcare organizations learn from F1 about responding swiftly to cyber incidents, again, when milliseconds matter?

Jonathan Ehret, CISSP, CISA, CRISC: I think it comes down to practice, practice, practice, right? If you look at an F1 team, they'll drive a race course thousands of times in practice before they ever get on the course just for qualifying. They'll do it virtually. They'll test drive the car. And they'll plan for every single scenario. They'll know when to switch tires, if it's going to rain, if it's going to dry, they'll look at weather forecasts, look at all that sort of stuff. And that's really what we need to do in the healthcare world when it comes to cybersecurity and it's preparing for them, right? It's no different than preparing if you're not going to have any power for the hospital, that's something that every hospital system tests for and makes a part of their incident response programs. And cyber is no different, right? At the end of the day, cyber is a critical piece of infrastructure. It keeps our systems moving and we have to be able to plan for that.

So, practice, practice, practice. Go through different scenarios, do all the testing you need. Take your hospital for its thousand test drives before you ever have to make that tough decision and deal with something. Because at the end of the day, even the best systems fail, right? We've done bunch of testing analyses of companies with great healthcare. And even the companies with the best healthcare postures, 5% of them still experience a breach or a ransomware event. So, it's going to happen someday. Be prepared for it.

Host: Yeah, totally agreed. And we advise that quite often we repeat it. In fact, here at this conference, we'll be doing a major tabletop exercise tomorrow morning. They have to practice. In my former life and world at the FBI, we would always talk about training like you would fight, train like you would do an operation. And the same here goes for healthcare cybersecurity teams. They have to be able to practice when an attack occurs, but also with the clinical folks as well.

So, speaking of the CISO, in a sense, he or she is the driver of the cybersecurity program. But the CISO alone cannot protect an organization without the right team, the right platform, like the car, the right F1 car, the right technology, and the right processes in place. What advice do you have for hospital leaders in really building this elite cybersecurity team like McLaren and Mastercard that function with the same level of precision and teamwork?

Jonathan Ehret, CISSP, CISA, CRISC: I think you need to have the right pit crew, right? You said it before numerous times, it's not the driver, it's also everybody else. And it goes even beyond the pit crew. If you look at an F1 team, they have sports psychologists, they have all sorts of people sitting behind the pit crew. There are 20 to 30 people at least that are monitoring everything and engineering and all sorts of stuff. So, it's building that right group. And it's, like I said, not just the CISO. They're not in it alone. It's building those partnerships with the clinical groups and all the different important people so that you can go through that testing that you talked about. Having the right tools in place to be able to address the things that do go bump in the night and do pop up, unfortunately.

You know, we hear about things every day where there's new stuff popping up and being able to address that sort of stuff, having the right visibility and the situational awareness of what's going on, right? I think that's a critical thing these days. A lot of times, we've kind of tried to bury our head in the sand to some extent, or just worried about our own boundaries. And it's bigger than our own boundaries because our perimeter is now our vendors and having situational awareness of that entire ecosystem is paramount.

There's a lot of different things. And I guess I can't stress it enough for the CISO to make those partnerships with the different groups with risk management, even with legal, and all those groups so that, at the end of the day, when something does go wrong, you have the right people ready to jump in and nobody wants to live through an incident.

Host: You have your direct team and the extended team that it's all part of that winning the race in a sense.

Jonathan Ehret, CISSP, CISA, CRISC: Right, right.

Host: So really, interesting what you said. I want to focus on this just a bit. You said, often you depended on these third parties. So, just like an F1 team, you can have the best team internally trained. My folks are great, but you're relying on external technology processes, engineering people, which could disrupt this perfect symmetry imbalance you have internally. Same as obviously as we know in the cybersecurity for third party risk. I just looked at the numbers again, reported to the Office of Civil Rights for breaches. Once again, third year in a row, 75% of the breaches targeting healthcare relate to breaches from non-hospital healthcare providers, third parties and business associates, 75%. So, we are doing our best to try to control our own environment, work internally, and yet we are subject to risk, which is introduced to us through third parties.

So, talk to us, John, again, from your perspectives. For F1, as I talked about in cybersecurity, what strategies should healthcare organizations adopt to assess and manage this supply chain, this third party risk?

Jonathan Ehret, CISSP, CISA, CRISC: Yeah. And you bring up a really good point there, John. Because you know, at the end of the day, if I'm an attacker, if I'm a bad guy, is it easier for me to attack a hospital system and I get one hospital system? Or is it easier for me to attack a vendor maybe that's supporting 20 or 30 hospital systems and get everything, right? You have that concentration risk, which is something to be considered.

And, you know, from a third party standpoint, oftentimes, we focus just on maybe assessing that vendor once. And we don't really do much beyond that. But if we go back to that F1 example, as you mentioned, they have tire suppliers, they have engine suppliers, they have brake suppliers, they have all that sort of stuff. They don't just buy those things and then never look at them again. They do some due diligence on the vendor. They buy the parts. Then, we talked about those thousand different test drives that they take. So, they're out there, they're testing those parts.

Host: Constant monitoring through what you say, 300 sensors, terabytes of data.

Jonathan Ehret, CISSP, CISA, CRISC: Yeah. So, you have that first piece, which I would say is very much like what a lot of companies do with a security questionnaire. And then, the second piece is more like what we do with RiskRecon, that continuous monitoring. I'm going to keep looking at things as they go on. And then, you get into the threat intelligence aspect of stuff. What's going on at this one second? Is there a tire that's overheating, right? Is there a brake caliper that's not functioning properly? And I'm going to address that before it becomes an issue.

John Riggi (Host): Exactly.

Jonathan Ehret, CISSP, CISA, CRISC: Through that testing, you also mentioned. Testing under real-world conditions, under race conditions, and I say and as we always advise, under threat conditions, under attack conditions as well.

Host: So John, we're in our final lap, so to speak. Really fascinating journey here from the racetrack to risk management as we have drawn out our analogy. So, let's bring it home to the checkered flag here, into the podium. So, what final piece of advice would you give to CISOs or hospital execs looking to win the race against cyber threats, but also wanted to point out for our listeners that Mastercard has really gone the extra lap for AHA hospital members and are offering some special discounts, really understanding the severe financial strain hospitals are under now and will be as these massive Medicaid cuts come into effect next year. Over to you, John.

Jonathan Ehret, CISSP, CISA, CRISC: Yeah. John, I think at the end of the day, we don't want price to be the roadblock between a hospital being secure and a hospital not being secure. So, we're looking to work with hospital systems of all sizes, meet them where we can, and try to come up with a package that works for everybody and helps them feel like they've got one step closer to being secure.

My advice to hospital executives would be treat your cybersecurity team as your pit crew. At the end of the day, we want to get our car across the finish line. We want our hospital system to succeed. We want our patients to have the best possible healthcare outcome that they can, and have the most qualified staff and best tools available to them. And that really comes with the cybersecurity IT teams, making sure that those systems are available to them, that they're not under attack, that all that patient data. If somebody comes to one of our hospitals, that they're secure. They don't have to worry about that sort of stuff. So at the end of the day, cybersecurity team is your pit crew. They're there to help make sure that your car makes it across the finish line. And it wins the race because the bad guys, they're also in that same race as us, and they don't always play by the same rules.

Host: Totally agree, John. Again, thanks for being part of our team and our winning team.

Jonathan Ehret, CISSP, CISA, CRISC: Appreciate it, John. Thank you.