healthsystemCIO.com Anthony Guerra

It’s the key question all CISOs have to ask themselves – especially those at small- to mid-sized organizations whose cyber teams run in the single digits as opposed to hundreds: how do I operate so as to get the biggest bang for my limited buck? For Blaine Hebert, VP and CISO at Yuma Regional Medical, it’s all about picking a cyber framework and sticking to it. In doing so, he says hospitals and health systems will, by default, focus on key foundational issues – the blocking and tackling whose neglect is often the root cause of so many breaches. But it doesn’t stop there, Hebert also recommends building relationships with key users before an incident to facilitate business continuity – ‘you don’t want to get introduced for the first time during a breach,’ he advises. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Hebert covers these issues and many more.



LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 



Bold Statements

There’s a tendency in healthcare – and probably other industry verticals – to focus on the new shiny thing in cyber, and I think we miss the boat if we don’t just stick to the foundational issues.

In healthcare today, unfortunately, CISOs are really still not given a seat at the big table. They are still relegated to a direct report – it could be the CIO, CTO, whatever the case may be. I think there are not enough CISOs that are given board-level visibility.

To me, my part as a CISO is I’ve got to have that pre-coordination effort done. I need to know all those people by name, have coffee with them, get to know them, let them know I’m here to support them.

Anthony: Welcome to healthsystemCIO’s interview with Blaine Hebert, VP and CISO at Yuma Regional Medical Center. I’m Anthony Guerra, Founder and Editor in Chief. Blaine, thanks for joining me.

Blaine: Great to be here, Anthony. Thanks for having me.

Anthony: Good. Looking forward to having a fun chat. You want to start off, Blaine, by telling me about your organization and your role?

Blaine: I’m the VP and CISO at Yuma Regional Medical Center in Yuma, Arizona, been there approximately a year now. We’re a 400-bed, not for profit hospital. Pretty small cyber team. I’ve got four direct reports that fall underneath me. I’m the first CISO that Yuma Regional has had. Prior to that, they had some virtual CISOs that were supporting the organization.

Currently, we’re a one-hospital system there. Really, the only regional medical center between San Diego and Phoenix, so quite a large population here that we support.

Anthony: Very good. I want to start out with the open–ended question and just see what’s on your mind. What are some of the trends that you’re watching? Either things you’re working on or trends you’re watching, just what’s top of mind right now?

Blaine: Well, I don’t think there’s a CISO in our industry that doesn’t lose sleep over ransomware. That’s probably the number one ticket item. Then, AI is really in the forefront right now. We’re trying to get our arms around some governance structure for AI and doing some good things there. Really, first and foremost for me is just making sure that we’re doing the standards and the foundations right at Yuma Regional.

There’s a tendency in healthcare – and probably other industry verticals – to focus on the new shiny thing in cyber, and I think we miss the boat if we don’t just stick to the foundational issues. That’s so evident now that Change Healthcare thing came out and sh...

With so many new technology solutions hitting the market, it’s becoming increasingly common for health systems to add accelerator or incubator programs to separate the wheat from the chaff. Because although there are many brilliant ideas, there’s often a lack of understanding when it comes to workflows and other challenges, according to Craig Kwiatkowski.

The Cedars-Sinai Accelerator, established in 2022, aims to address this “knowledge gap” by granting access to end users, stakeholders, and thought leaders throughout the organization so they witness firsthand how care is delivered. It’s one reason why the reason the program has already counted several success stories, he said. Another is the fact that the Accelerator is extremely selective, focusing only on products that “scratch an itch or solve a problem.”

During a recent interview, Kwiatkowski spoke with Kate Gamble, Managing Editor and Director of Social Media, about the many initiatives his team has in place to improve efficiency and quality for providers and patients at Cedar-Sinai, an academic organization serving more than 1 million individuals across the Los Angeles community. He shared insights on the “major overhaul” of ERP systems that will help centralize services; the three-pillar AI governance structure his team has created; and the unique experience he gained during his time as a pharmacist.

LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 



Bold Statements

Our focus is on reducing friction, improving efficiency, and simplifying things where we can, and there is certainly no shortage of opportunities and possibilities to do just that.

It was a really nice win for the organization; more of an operational transformational project that included a number of business process changes and other efficiency opportunities. And of course, technology is the enabling piece that sits underneath that.

We’ve spent the better part of the last 10 to 15 years implementing EMR and EHR technology and really focusing on the clinical solutions and tools that are so fundamental to the work that’s being done. I think that has come at the expense, in many cases, of focusing on ERP and other administrative or back-office solutions.

We try not to create bespoke technology solutions that the companies are going to have a challenging time deploying and scaling outside of Cedars. We’re helping think about what will work broadly and be forward thinking as they’re deploying their products moving forward.

Innovation is often easier than adoption. I think that’s particularly true in healthcare.

Safety in particular is something I’ve always been very passionate about. I think it connects very well to the way in which we try to serve the organization from a technology standpoint and the importance of the work we do.

 

Q&A with Craig Kwiatkowski, SVP & CIO, Cedars-Sinai

Gamble:  Thanks so much for taking some time to speak. I appreciate it. I want to talk about your core objectives, particularly in terms of driving innovation. Let’s start with a high-level overview of Cedars-Sinai. Can you talk about where you’re located, what you have in terms of hospitals, things like that?

Kwiatkowski:  Sure. That’s a good place to start. Cedars-Sinai Medical Center is a non-profit academic medical center with about 900 beds. We provide a wide range of services in the Los Angeles area with a number of different specialty programs, including cardiology, ortho, neuro, GI, cancer, and women’s health, many of which are highly regarded.

In addition to the main campus,

You might think a former drill sergeant turned CISO would lead with a ‘my way or the highway approach,’ but for Terry Grogan, VP of IT Assurance & CISO at Tower Health, that couldn’t be further from the truth. That’s because, according to Grogan, such leadership will only see you followed when seas are calm, but when the storm strikes, teams look to rally around those who they know have their best interests at heart. And Grogan shows that sentiment by embracing a “see something, say something” mentality where users are encouraged to “tell on themselves” if they accidentally give up their credentials to some kind of compelling scam. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Grogan covers these issues, where most attacks are coming in, and why she sometimes embraces a ‘lock it down and ask questions’ later dynamic.



LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 



Bold Statements

We’re looking for lateral movement, looking for command and control, impersonation of users, escalation of privileges. And you need multiple log sources to stitch that picture together. It can’t be just what’s happening on the endpoint anymore.

I believe our users have gotten much more willing to tell on themselves, because we make it far less painful for them to get back into the system and back to work.

… what I do is automate on the side of caution. So I’ll lock a machine or a user out with an automation based on hitting certain roles. Whether I’m wrong or not, it doesn’t matter. I’d rather say, ‘I’m sorry, I didn’t mean to lock you out,’ than to not have taken that quick action if it really was something important.

Anthony: Welcome to healthsystemsCIO’s interview with Terry Grogan, VP of IT Assurance and CISO at Tower Health. I’m Anthony Guerra, founder and editor-in-chief. Terry, thanks for joining me.

Terry: Hey, thanks so much, Anthony, for having me. I really appreciate the opportunity.

Anthony: All right, very good. Thank you. Terry, can you tell me a little bit about your organization and your role.

Terry: Tower Health is a 3-hospital health system. We also have, in addition to Reading Hospital, there’s Phoenixville and Pottstown Hospital, and we also have a joint effort with St. Christopher’s Hospital for Children in Philadelphia. We have about 18,000 users. We have Community Connect sites. We have medical groups, specialty practices. So it’s a typical mid-sized health care system. I am the chief information security officer here for all of Tower.

Anthony: Excellent. Thank you for that. Let’s start open-ended here, Terry. What’s on your mind? What are some of the trends you’re looking at, things you’re watching, just top-of-mind stuff, and we’ll go from there.

Terry: As I’m sure you’re aware if you’ve talked to any other healthcare CISOs, we are a very targeted group of entities. I constantly watch the news and see my peers deal with attacks. I look at our logs and see us being attacked on a daily basis. I have a lot of the same attacks that others look at, phishing, obviously is a big one. But interestingly, we’re getting a lot more attacks outside of normal phishing emails, which seem to be not as effective anymore for threat actors. Impersonations have been a big problem for me recently. And we have upped our identity questions when we try to positively identify folks for password reset or especially for changes to their multi-factor authentication.

We’ve caught several threat actors impersonating ...

Recent industry-shaking events have made it clear that serious points of risk lurk throughout healthcare. They’ve also revealed that operational risk and IT security risk are deeply intertwined, making it incumbent for CISOs and CIOs to work with others in their health systems – from the chief risk officers, to clinical leaders, to emergency management – to help develop a joint picture of third-party risk that analyzes the implications of losing services not only from a cyber outage, but for any reason. In this timely webinar,  we’ll speak to leaders who are committed to going back and reviewing key third-party service providers through the lens of recent learnings so appropriate levels of total risk can be assigned, and plan Bs can be developed.

Speakers:



* Chris Akeroyd, SVP/CIO, Children’s Health

* Vince Fitzpatrick, Director of Information Security, Christiana Care Health System

* Chris Bowen, CISO/Founder, ClearDATA

Enterprise imaging is similar in scope to the EHR, and it allows clinical users to properly identify, acquire, store, manage and visualize imaging studies from across their enterprise, regardless of device, modality, department, service line or location. Historically, each imaging department made its own decisions and purchases regarding these services, often resulting in siloes with significant storage and software duplication, inefficient routing, perilous database synchronization and user frustration (or worse, apathy). With major potential upside when done right, health systems can adopt a true enterprise imaging strategy, led by executive IT members with proportional governance oversight and clinical buy-in from leaders in key domains, such as Radiology, Cardiology, Endoscopy, PoCUS and more. Join us as we speak to leaders and have them share their experiences and opinions on how a true enterprise imaging strategy can be executed.

Speakers:



* Alex Towbin, MD, Associate CMIO, Cincinnati Children’s

* Joseph Marion, Principal, Healthcare Integration Strategies

* Lenny Reznik, IT Business Unit VP, Commercial Product Leader, North America, AGFA HealthCare

The IT stack of the past cannot service the health system of the future. That’s one of the main sentiments that runs through the following thoughts offered by Franciscan Missionaries of Our Lady Health System (FMOLHS) SVP/CIO Will Landry. For example, legacy and on-prem technology cannot provide the business continuity and disaster recovery capabilities that a Louisiana-based health system like FMOLHS needs. Also, not being in the cloud prevents IT shops from being nimble enough to handle user-side requests for innovation. Is the cheaper? Certainly not, but today it’s just the cost of doing business for health systems. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Landry covers these issues, along with his takeaways from the Change Healthcare event, his top two priorities, and why it’s key for infrastructure and security teams to be on the same page.



LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 



Bold Statements

There is a balance. To be totally secure, you would just turn everything off, but you obviously can’t run the business that way. If you were wide open, totally innovative, totally focused on growth and innovating, you would not be very secure, or you’re going to have some limitations in your security posture. That’s not the best position to be in either. It is a balance, and that’s why we work really well as a team together.

Now have we made some concessions when the risk is really low? Sure. Most businesses do. We have to evaluate all those individually. And we do typically have those conversations with the business to talk about what is the priority, what needs to happen first, and how fast do we really need to do it.

We know that the emails, the attacks, are going to get better and better, and smarter and smarter. Watching those trends and trying to stay ahead of those trends is extremely important to us and seeing what type of social engineering or social phishing is going to happen from these new generative AI tools, whether it’s video fakes, imaging fakes or audio fakes.

Anthony: Welcome to healthsystemCIO’s interview with Will Landry, SVP and CIO with Franciscan Missionaries of Our Lady Health System. I’m Anthony Guerra, Founder and Editor-in-Chief. Will, thanks for joining me.

Will: Hey, Anthony, thank you for having me, looking forward to it.

Anthony: Very good, Will, can you start off by telling me a little bit about your organization and your role?

Will: Franciscan Missionaries of Our Lady Health System is a Catholic health system based on Baton Rouge, Louisiana with 10 hospitals in the Louisiana and Mississippi markets. We also have a little over 200 ambulatory locations in the two states, 18,000 employees and we cover five specific geographic regions within the state, the Greater Baton Rouge area, Acadiana, Northeast Louisiana, the North Shore, the North of New Orleans and then Central Mississippi.

Anthony: Excellent. Very good. We’re going to have a security-specific chat here. I don’t need names, but just tell me a little about the structure or the positions you have in security. I don’t think you have a CISO. Is that correct?

Will: We don’t. We have a Senior Director of Information Security and myself who operate under the CISO role. The way I like to say it is I have all the accountability and she has the responsibility (laughing).

Anthony: Very good. It’s a big health system. I would imagine most health systems of that size are going to have a CISO.