Cyber risk does not exist in isolation. A successful cyberattack doesn’t just threaten your organization’s protected health information or other sensitive data; cyber risk is inextricably linked to the other risks your organization faces. A successful cyberattack could trigger an enforcement action by a regulatory body, such as the Office for Civil Rights or the Federal Trade Commission. A ransomware attack could lead to business interruption and an expensive payoff to resume operations. Other consequences might include damage to your organization’s reputation, lost patients and revenues, a medical malpractice lawsuit or a negligence lawsuit against C-suite executives and board members.
Downstream, the consequences can also turn into talent acquisition challenges, higher cost of capital and higher insurance premiums. An adverse cyber event can result in serious negative financial, regulatory, reputational, and clinical consequences.
Drawing on his nearly 40 years of experience supporting hundreds of hospitals and health systems with compliance risk management and cyber risk management initiatives, Bob Chaput discusses the important collaboration between the Chief Risk Officer and the Chief Information Security Officer in developing a more comprehensive enterprise cyber risk management strategy for securing healthcare data, system and devices that is part of the organization’s broader Enterprise Risk Management program.
Selected Podcast
Making Cyber Risk an Enterprise Risk Management Concern
Featuring:
Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US, C|EH, NACD, CERT
Bob Chaput is the Founder and Executive Chairman of the Board of Clearwater, a top-ranked, award-winning provider of healthcare cyber risk management solutions, endorsed by numerous state hospital associations. As a leading authority on healthcare cybersecurity and enterprise cyber risk management, Chaput has supported hundreds of hospitals and health systems, including Fortune 100 organizations and other federal government institutions, with cyber risk management. Chaput’s certifications include the Certified Information Systems Security Professional (CISSP), Health Care Information Security and Privacy Practitioner (HCISPP), Certified in Risk Information Security Controls (CRISC), Certified Information Privacy Professional/US (CIPP/US), Certified Ethical Hacker (C|EH), and NACD CERT Cyber Risk Oversight. He is a member of ACHE, CHIME, AEHIS, HIMSS, HCCA, ISC2, HIMSS, ISACA, and ISSA. Chaput also serves on the HealthCare’s Most Wired™ Survey Governance Board and was a contributing co-author to an American Society of Healthcare Risk Management (ASHRM) academic textbook on the fundamentals of risk management released in October 2017. Under his leadership, Clearwater was designated 2018’s Best in KLAS for cybersecurity advisory services and ranked Top Compliance and Risk Management Solution by Black Book Market Research in 2017, 2018 and 2019. Transcription:
Michael Carrese: Welcome to the ASHRM podcast, made possible by the American Society for Healthcare Risk Management to support efforts to advance safe and trusted healthcare through enterprise risk management. You can visit ASHRM.org/membership to learn more and become an ASHRM member. I'm Michael Carrese.
You know, we have a very timely and critically important topic today. According to recent report in Becker's Hospital Review, cyber attacks against healthcare organizations are expected to triple in 2021. And at the same time, 73% of health system, hospital and physician organizations say their infrastructures are really unprepared to respond to these attacks. Overall healthcare is four times more likely to be targeted than any other industry.
Our guest today has some key advice to share about how to be better prepared to prevent and manage these incidents. And I know you're going to find his information very useful. Bob Chaput is founder and executive chairman of Clearwater Compliance, and he brings nearly 40 years of experience supporting hundreds of hospitals and health systems with compliance risk management and cyber risk management initiatives to our discussion today. Welcome to the ASHRM podcast.
Bob Chaput: Michael, it's a real pleasure to be here. Thanks for the opportunity.
Michael Carrese: I thought we'd start by having you add to that very brief mention of your background, give us some professional highlights and also tell us a bit about Clearwater Compliance.
Bob Chaput: Sure. Thanks for the opportunity to do that. As you mentioned, my 40 years, I guess puts me in the class of being entered into the Smithsonian, I suppose, but I've had a terrific opportunity to work for some great companies along the course of my career. I did start as an educator. I spent about 15 years at GE including some of the healthcare businesses, moved on to Johnson & Johnson in executive roles. In fact at GE, I began my career in cyber security. We didn't call it that name at that point in time, but continued with that work in Johnson & Johnson and had responsibility for our information security function, went onto another global corporation based in Nashville called Healthways similarly as their executive vice president and CIO, had the responsibility for the information security team and our efforts there.
Subsequently, in my third effort at retirement in 2009, I found myself back on the playing field, helping organizations with cyber security. And notably in the beginning, at that point in time, it was more about complying with the HIPAA regulations as a result of the HITECH Act and the bundle of carrots that came along in the form of $33 billion of meaningful use incentive money and the bundle of sticks that came along in the form of more enforcement around HIPAA.
Around that time, I, started Clearwater, built it into a company with about 75 people, serving exclusively the healthcare industry. In 2018, partnered with a private equity firm to acquire some growth capital and keep the journey going. As part of that, I'm making my fourth effort at retirement and serving, as you mentioned, as the executive chairman of the board.
Clearwater does what one might infer from some of the things I just mentioned, laser focus on compliance risk management and cyber risk management. And notably, I'll knock wood as I say this, we have the distinction of not only having won a number of industry awards. But most importantly, having a 100% perfect track record when it comes to working with clients and submitting our work products to the Office for Civil Rights, whom I would say most people in ASHRM would understand to be the enforcement agency around the HIPAA regulations.
So that's kind of it in a nutshell. I'll add one other thing as sort of a capstone for my Clearwater career and in some respects, other parts of my career, I finished a book that was published last fall, called Stop The Cyber Bleeding: What Healthcare Executives and Board Members Need to Know About Enterprise Risk Management. So once again, it's a pleasure to be with you today.
Michael Carrese: Well, I guess we've got the right guy listening to all of that, for sure. So I first wanted to ask you, you know, when these attacks occur, there's of course a focus on the breach of private health information and other sensitive data and the enormous disruptions that these attacks can cause to patient care and all the other functionality of an organization. But I'm wondering if you could talk about some of the longer term consequences that people might not think about right away. For example, possibly negligence lawsuits against the leadership and other sort of things that kind of flow downhill after one of these attacks.
Bob Chaput: That's a great question and so relevant to, I think, the risk managers, chief risk officers and risk managers out there, and also very relevant to the board and the C-suite and its entirety. What I've observed over the last 10 years-- I talked about the HITECH Act being published in the federal register back in 2013, actually beyond this final rule was published at that time, HITECH Act was signed into law in 2009. What we saw at that point was more emphasis by the Office for Civil Rights on compliance. And people said, "Okay, it looks like this is getting serious. It's no longer going to be reactionary and complaint-driven. It looks like OCR is getting serious about it."
Then we moved into --I'll fast forward from 2009 and 2010 to 2015--what I dubbed the year of the megabreaches. Anthem Premera, Excellus, large payers had sustained or suffered major breaches. And anybody who was paying attention at the time is aware of that. At Anthem, it was roughly 78 million records that were impermissibly disclosed.
What we're talking about there are compromises of confidentiality where I saw things then go circa 2018 is into the area where now there's an awakening to the fact that our patients have devices implanted in them, perhaps it's a pacemaker or devices that are attached to them in a hospital. It might be a wireless IV infusion pump. With these devices and myriad more than those two simple examples, being connected to the internet, part of the so-called internet of medical things and, all of a sudden 2018, there's an awakening that, "Wow, this might be a patient safety issue."
And then finally, although it hasn't happened yet, and I don't want it to happen, I believe that imminently, we're looking at a cyber-driven medical malpractice lawsuit. With that, I believe the worlds of the risk officer or the worlds of the chief information security officer are colliding and they're colliding big time. This is not an IT issue. It's an increasingly more significant enterprise risk management issue. And so that's how I've seen it having evolved.
And then to put, sort of the capstone on that and get back to the heart of your question, so what does that mean? Well, all of a sudden, the second checked a fiduciary responsibility, the matter of duty of care, obligations that our C-suite executives and board members carry in the roles that they have, there can be not only a medical malpractice lawsuit, but derivative lawsuits that follow it.
Michael Carrese: Yeah, boy. It just sort of makes you shudder when you mentioned the malpractice suits based on one of these incidents. So that would be an example of a patient whose care was interrupted, for example and there were adverse consequences from that. Is that what you mean?
Bob Chaput: Yeah. And so at the heart of this subject matter is the question of what is risk all about. And risk, as it manifests itself from a cyber security point of view, it's about assuring the confidentiality, of the integrity and the availability of information. And I alluded to confidentiality, I don't know of cases where someone died as a result of a compromise of the confidentiality of their health record. Somebody finds out I had my tonsils out when I was five years old, that's not going to be so much of a big deal.
But let me go to the matter of integrity. I mentioned the book and in the opening chapter of my book, I cite research that was done in Ben-Gurion University in 2018, published in 2019, that demonstrated that CT scan images could be hacked and could be modified and notably specifically what the researchers showed is that using machine learning algorithms, they were able to insert cancerous nodules into a CT image or remove them. And furthermore, they demonstrated that they could fool even the most expert trained radiologists.
Think about that for a moment. And it's well-founded research and a lot has been done following on to that initial body of work. The upshot of which is now we've had a case where someone who has cancer, if the cancerous nodules are removed, they're going to be misdiagnosed. They're not going to receive the treatment they ought to get. And so I dramatize it a little bit in the book and tell the story around it. But at the very heart of it is such research. That could be the basis of a cyber-driven medical malpractice lawsuit.
Michael Carrese: Absolutely. Yeah. So let's get to the heart of your advice on this. It seems you're really a proponent of having the chief risk officer and the chief information security officer develop a really collaborative relationship. So explain to me what you mean by collaboration. What does that look like in this context? And why is that so important?
Bob Chaput: Well, as I mentioned a moment ago, their worlds are colliding. And historically, the chief risk officer worried about among other things, spills and falls, fraud, waste, and abuse, and certainly the matter of medical malpractice or hospital professional liability lawsuits. And at that point of time, we weren't so concerned. At a certain point in time, we weren't so concerned about the possibility of these cyber-driven events that I alluded to a moment ago. So I would say the chief risk officer, if I can say CRO and the CISO for the chief information security officer, that's just the beginning. This has got to become a team sport.
Too many organizations, too many individuals, including, sadly, executive leaders and board members believe that cyber risk is about some sort of IT problem. And it's not. In fact, I would argue there's no such thing as IT risk. They're all business risks. And if you think about risk at it's very, very basic component, it's about loss or harm. So for the healthcare delivery organization, that might mean a financial harm in the form of a big payout to the Office for Civil Rights. It might be operational disruption as a result of a case. There have been numerous cases across the globe of ransomware attacks that have totally disrupted services. It could result in reputational harm. That's important and interesting.
But for me more importantly, it's about our patients who may suffer reputational harm, relationship damage, financial damage. Medical fraud is rampant. if you think identity theft is something, medical fraud is even more so. And then there can be physical harm. I talked about the case where, we have a patient hypothetically misdiagnosed as a result of that. What if somebody hacks into the EHR system and modifies my health record the night before I'm going in for surgery. They changed my blood type. And, in surgery, I need an unexpected transfusion and there's a reading of something that's inaccurate. Administering the wrong blood to a patient can result in death.
And so this is the kind of physical harm that I'm talking about. And as I mentioned, we have the hypothetical research-based modification of the CT image. There are real life cases spanning the globe that show how ransomware attacks can disrupt patient care, including depriving patients of chemotherapy.
So the chief risk officer, information security officer collaborating is only the beginning. It has to really expand beyond those two officer roles into other key members of the executive team.
Michael Carrese: What are some steps along the way? How do you get that collaboration going and establish those deeper relationships?
Bob Chaput: If we start with the notion that the CRO and the CISO are going to collaborate, I would put emphasis on collaborate to lead, break down the silos. I've worked in more than one organization where we have a chief privacy officer, chief compliance officer, a chief information security officer, a chief risk officer, and it's the normal game of finger-pointing and "Whew, that didn't happen on my watch. I'm glad it was a computer system problem and not a patient complaint." So step one, break down the silos.
Step two, facilitate education. Step three, begin to engage the process leaders, align the business leaders, functional leaders in your organization. I've built over time with a number of organizations that I have run and organizations with whom I've done consulting work a three-tier model for what I call enterprise cyber risk management governance. And top tier includes the board and then the second tier, the executive leadership team, a third team of a working group. And depending on the size of the organization, I would encourage these two leaders to help form the second or third or fourth tier, whatever's appropriate for that organization. Lay down what has to be a foundation for what truly is a transformational program.
We have talked about digitization of healthcare and certainly the HITECH Act and the $33 billion to have stimulated that and it continues. It has been truly transformational. What we've not had alongside of it is the concomitant transformational program to raise enterprise cyber risk management in the organization.
And then the last thing I'll say is relentlessly drive to understand what your organization's unique exposures are. If you've seen one hospital, you have seen one hospital. If you have seen one ambulatory surgery center, you have seen one ambulatory surgery center. This is not about a one-size-fits-all control checklists where you do the same thing no matter where you are. It's really about understanding your crown jewels, your unique exposures, and then dealing with those.
Michael Carrese: Unfortunately, we're running out of time. I do want to wrap up by having you talk about the benefits an organization can expect to achieve by doing what you're talking about, making cybersecurity a more integrated component of the enterprise risk management program.
Bob Chaput: I think we've touched on some of those. But I'll try to pull them together and put them in a package. So first of all, if risk is about loss or harm, the benefits of such a program include avoiding or minimizing reputational damage, losing patients in revenues. avoiding a medical malpractice lawsuit and potentially some derivative lawsuits that follow along with that.
If one establishes a true transformational enterprise cyber risk management program, it's going to help you align your duty of care responsibilities. It's going to help you comply with diverse regulatory requirements. It's going to help you get out of this mode of tactical technical spot welding that I see all too often. It's going to position you for legal action in the form of an affirmative defense. It's going to facilitate M&A activity. So this is not just about defense. This can be about playing offense. And for many us organizations, it can become a market differentiator. The punchline, for me at least and I would say most of the organizations with whom I've worked, is about saving your patients, preserving your reputation and protecting your balance sheet.
Michael Carrese: Well, it doesn't get more important than that. I want to thank you very much for being with us today. Our guest has been Bob Chaput. He's the founder and executive chairman of Clearwater Compliance, also author of the book, Stop The Cyber Bleeding. Thanks so much for being with us today.
Bob Chaput: My pleasure. Thank you, Michael.
Michael Carrese: This podcast is made possible by the American Society for Healthcare Risk Management to support efforts to advance safe and trusted healthcare through enterprise risk management. You can visit ASHRM.org/membership to learn more and become an ASHRM member. I'm Michael Carrese. Thanks for listening.
Michael Carrese: Welcome to the ASHRM podcast, made possible by the American Society for Healthcare Risk Management to support efforts to advance safe and trusted healthcare through enterprise risk management. You can visit ASHRM.org/membership to learn more and become an ASHRM member. I'm Michael Carrese.
You know, we have a very timely and critically important topic today. According to recent report in Becker's Hospital Review, cyber attacks against healthcare organizations are expected to triple in 2021. And at the same time, 73% of health system, hospital and physician organizations say their infrastructures are really unprepared to respond to these attacks. Overall healthcare is four times more likely to be targeted than any other industry.
Our guest today has some key advice to share about how to be better prepared to prevent and manage these incidents. And I know you're going to find his information very useful. Bob Chaput is founder and executive chairman of Clearwater Compliance, and he brings nearly 40 years of experience supporting hundreds of hospitals and health systems with compliance risk management and cyber risk management initiatives to our discussion today. Welcome to the ASHRM podcast.
Bob Chaput: Michael, it's a real pleasure to be here. Thanks for the opportunity.
Michael Carrese: I thought we'd start by having you add to that very brief mention of your background, give us some professional highlights and also tell us a bit about Clearwater Compliance.
Bob Chaput: Sure. Thanks for the opportunity to do that. As you mentioned, my 40 years, I guess puts me in the class of being entered into the Smithsonian, I suppose, but I've had a terrific opportunity to work for some great companies along the course of my career. I did start as an educator. I spent about 15 years at GE including some of the healthcare businesses, moved on to Johnson & Johnson in executive roles. In fact at GE, I began my career in cyber security. We didn't call it that name at that point in time, but continued with that work in Johnson & Johnson and had responsibility for our information security function, went onto another global corporation based in Nashville called Healthways similarly as their executive vice president and CIO, had the responsibility for the information security team and our efforts there.
Subsequently, in my third effort at retirement in 2009, I found myself back on the playing field, helping organizations with cyber security. And notably in the beginning, at that point in time, it was more about complying with the HIPAA regulations as a result of the HITECH Act and the bundle of carrots that came along in the form of $33 billion of meaningful use incentive money and the bundle of sticks that came along in the form of more enforcement around HIPAA.
Around that time, I, started Clearwater, built it into a company with about 75 people, serving exclusively the healthcare industry. In 2018, partnered with a private equity firm to acquire some growth capital and keep the journey going. As part of that, I'm making my fourth effort at retirement and serving, as you mentioned, as the executive chairman of the board.
Clearwater does what one might infer from some of the things I just mentioned, laser focus on compliance risk management and cyber risk management. And notably, I'll knock wood as I say this, we have the distinction of not only having won a number of industry awards. But most importantly, having a 100% perfect track record when it comes to working with clients and submitting our work products to the Office for Civil Rights, whom I would say most people in ASHRM would understand to be the enforcement agency around the HIPAA regulations.
So that's kind of it in a nutshell. I'll add one other thing as sort of a capstone for my Clearwater career and in some respects, other parts of my career, I finished a book that was published last fall, called Stop The Cyber Bleeding: What Healthcare Executives and Board Members Need to Know About Enterprise Risk Management. So once again, it's a pleasure to be with you today.
Michael Carrese: Well, I guess we've got the right guy listening to all of that, for sure. So I first wanted to ask you, you know, when these attacks occur, there's of course a focus on the breach of private health information and other sensitive data and the enormous disruptions that these attacks can cause to patient care and all the other functionality of an organization. But I'm wondering if you could talk about some of the longer term consequences that people might not think about right away. For example, possibly negligence lawsuits against the leadership and other sort of things that kind of flow downhill after one of these attacks.
Bob Chaput: That's a great question and so relevant to, I think, the risk managers, chief risk officers and risk managers out there, and also very relevant to the board and the C-suite and its entirety. What I've observed over the last 10 years-- I talked about the HITECH Act being published in the federal register back in 2013, actually beyond this final rule was published at that time, HITECH Act was signed into law in 2009. What we saw at that point was more emphasis by the Office for Civil Rights on compliance. And people said, "Okay, it looks like this is getting serious. It's no longer going to be reactionary and complaint-driven. It looks like OCR is getting serious about it."
Then we moved into --I'll fast forward from 2009 and 2010 to 2015--what I dubbed the year of the megabreaches. Anthem Premera, Excellus, large payers had sustained or suffered major breaches. And anybody who was paying attention at the time is aware of that. At Anthem, it was roughly 78 million records that were impermissibly disclosed.
What we're talking about there are compromises of confidentiality where I saw things then go circa 2018 is into the area where now there's an awakening to the fact that our patients have devices implanted in them, perhaps it's a pacemaker or devices that are attached to them in a hospital. It might be a wireless IV infusion pump. With these devices and myriad more than those two simple examples, being connected to the internet, part of the so-called internet of medical things and, all of a sudden 2018, there's an awakening that, "Wow, this might be a patient safety issue."
And then finally, although it hasn't happened yet, and I don't want it to happen, I believe that imminently, we're looking at a cyber-driven medical malpractice lawsuit. With that, I believe the worlds of the risk officer or the worlds of the chief information security officer are colliding and they're colliding big time. This is not an IT issue. It's an increasingly more significant enterprise risk management issue. And so that's how I've seen it having evolved.
And then to put, sort of the capstone on that and get back to the heart of your question, so what does that mean? Well, all of a sudden, the second checked a fiduciary responsibility, the matter of duty of care, obligations that our C-suite executives and board members carry in the roles that they have, there can be not only a medical malpractice lawsuit, but derivative lawsuits that follow it.
Michael Carrese: Yeah, boy. It just sort of makes you shudder when you mentioned the malpractice suits based on one of these incidents. So that would be an example of a patient whose care was interrupted, for example and there were adverse consequences from that. Is that what you mean?
Bob Chaput: Yeah. And so at the heart of this subject matter is the question of what is risk all about. And risk, as it manifests itself from a cyber security point of view, it's about assuring the confidentiality, of the integrity and the availability of information. And I alluded to confidentiality, I don't know of cases where someone died as a result of a compromise of the confidentiality of their health record. Somebody finds out I had my tonsils out when I was five years old, that's not going to be so much of a big deal.
But let me go to the matter of integrity. I mentioned the book and in the opening chapter of my book, I cite research that was done in Ben-Gurion University in 2018, published in 2019, that demonstrated that CT scan images could be hacked and could be modified and notably specifically what the researchers showed is that using machine learning algorithms, they were able to insert cancerous nodules into a CT image or remove them. And furthermore, they demonstrated that they could fool even the most expert trained radiologists.
Think about that for a moment. And it's well-founded research and a lot has been done following on to that initial body of work. The upshot of which is now we've had a case where someone who has cancer, if the cancerous nodules are removed, they're going to be misdiagnosed. They're not going to receive the treatment they ought to get. And so I dramatize it a little bit in the book and tell the story around it. But at the very heart of it is such research. That could be the basis of a cyber-driven medical malpractice lawsuit.
Michael Carrese: Absolutely. Yeah. So let's get to the heart of your advice on this. It seems you're really a proponent of having the chief risk officer and the chief information security officer develop a really collaborative relationship. So explain to me what you mean by collaboration. What does that look like in this context? And why is that so important?
Bob Chaput: Well, as I mentioned a moment ago, their worlds are colliding. And historically, the chief risk officer worried about among other things, spills and falls, fraud, waste, and abuse, and certainly the matter of medical malpractice or hospital professional liability lawsuits. And at that point of time, we weren't so concerned. At a certain point in time, we weren't so concerned about the possibility of these cyber-driven events that I alluded to a moment ago. So I would say the chief risk officer, if I can say CRO and the CISO for the chief information security officer, that's just the beginning. This has got to become a team sport.
Too many organizations, too many individuals, including, sadly, executive leaders and board members believe that cyber risk is about some sort of IT problem. And it's not. In fact, I would argue there's no such thing as IT risk. They're all business risks. And if you think about risk at it's very, very basic component, it's about loss or harm. So for the healthcare delivery organization, that might mean a financial harm in the form of a big payout to the Office for Civil Rights. It might be operational disruption as a result of a case. There have been numerous cases across the globe of ransomware attacks that have totally disrupted services. It could result in reputational harm. That's important and interesting.
But for me more importantly, it's about our patients who may suffer reputational harm, relationship damage, financial damage. Medical fraud is rampant. if you think identity theft is something, medical fraud is even more so. And then there can be physical harm. I talked about the case where, we have a patient hypothetically misdiagnosed as a result of that. What if somebody hacks into the EHR system and modifies my health record the night before I'm going in for surgery. They changed my blood type. And, in surgery, I need an unexpected transfusion and there's a reading of something that's inaccurate. Administering the wrong blood to a patient can result in death.
And so this is the kind of physical harm that I'm talking about. And as I mentioned, we have the hypothetical research-based modification of the CT image. There are real life cases spanning the globe that show how ransomware attacks can disrupt patient care, including depriving patients of chemotherapy.
So the chief risk officer, information security officer collaborating is only the beginning. It has to really expand beyond those two officer roles into other key members of the executive team.
Michael Carrese: What are some steps along the way? How do you get that collaboration going and establish those deeper relationships?
Bob Chaput: If we start with the notion that the CRO and the CISO are going to collaborate, I would put emphasis on collaborate to lead, break down the silos. I've worked in more than one organization where we have a chief privacy officer, chief compliance officer, a chief information security officer, a chief risk officer, and it's the normal game of finger-pointing and "Whew, that didn't happen on my watch. I'm glad it was a computer system problem and not a patient complaint." So step one, break down the silos.
Step two, facilitate education. Step three, begin to engage the process leaders, align the business leaders, functional leaders in your organization. I've built over time with a number of organizations that I have run and organizations with whom I've done consulting work a three-tier model for what I call enterprise cyber risk management governance. And top tier includes the board and then the second tier, the executive leadership team, a third team of a working group. And depending on the size of the organization, I would encourage these two leaders to help form the second or third or fourth tier, whatever's appropriate for that organization. Lay down what has to be a foundation for what truly is a transformational program.
We have talked about digitization of healthcare and certainly the HITECH Act and the $33 billion to have stimulated that and it continues. It has been truly transformational. What we've not had alongside of it is the concomitant transformational program to raise enterprise cyber risk management in the organization.
And then the last thing I'll say is relentlessly drive to understand what your organization's unique exposures are. If you've seen one hospital, you have seen one hospital. If you have seen one ambulatory surgery center, you have seen one ambulatory surgery center. This is not about a one-size-fits-all control checklists where you do the same thing no matter where you are. It's really about understanding your crown jewels, your unique exposures, and then dealing with those.
Michael Carrese: Unfortunately, we're running out of time. I do want to wrap up by having you talk about the benefits an organization can expect to achieve by doing what you're talking about, making cybersecurity a more integrated component of the enterprise risk management program.
Bob Chaput: I think we've touched on some of those. But I'll try to pull them together and put them in a package. So first of all, if risk is about loss or harm, the benefits of such a program include avoiding or minimizing reputational damage, losing patients in revenues. avoiding a medical malpractice lawsuit and potentially some derivative lawsuits that follow along with that.
If one establishes a true transformational enterprise cyber risk management program, it's going to help you align your duty of care responsibilities. It's going to help you comply with diverse regulatory requirements. It's going to help you get out of this mode of tactical technical spot welding that I see all too often. It's going to position you for legal action in the form of an affirmative defense. It's going to facilitate M&A activity. So this is not just about defense. This can be about playing offense. And for many us organizations, it can become a market differentiator. The punchline, for me at least and I would say most of the organizations with whom I've worked, is about saving your patients, preserving your reputation and protecting your balance sheet.
Michael Carrese: Well, it doesn't get more important than that. I want to thank you very much for being with us today. Our guest has been Bob Chaput. He's the founder and executive chairman of Clearwater Compliance, also author of the book, Stop The Cyber Bleeding. Thanks so much for being with us today.
Bob Chaput: My pleasure. Thank you, Michael.
Michael Carrese: This podcast is made possible by the American Society for Healthcare Risk Management to support efforts to advance safe and trusted healthcare through enterprise risk management. You can visit ASHRM.org/membership to learn more and become an ASHRM member. I'm Michael Carrese. Thanks for listening.