This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[00:00:00] Thanks as always to our partner Fortified Health Security. No matter where you're at in your cybersecurity journey, Fortified can help you improve your cybersecurity posture through their 24 7 threat defense services or advisory services delivered through Central Command, a first of its kind platform that simplifies cybersecurity management and provides the visibility you need to mature your program.

Learn more at fortifiedhealthsecurity. com

I'm Drex DeFord, a recovering healthcare CIO and longtime cyber advisor for some of the world's most innovative cybersecurity companies, and now I'm president of CyberRisk. At this week, health and the 229 project where we're dedicated to transforming health care one connection at a time. Our interview and action series allows us to catch up with health care leaders throughout the industry and hear about the important work they've been focusing on lately.[00:01:00]

Now onto the interview.

Drex DeFord: (Interview 1) Hey everyone. I'm Drex Sand. I'm really lucky to have on the show today, Dan Dodson from Fortified Health Security the CEO. How's it going, Dan?

Dan Dodson: Drex, I'm doing well. Great to

Drex DeFord: see you again. Be with you. Good to see you too. Welcome to the program. there's so many questions that I have for you right now.

so many things going on. It's gonna be hard to make this a short interview, so, you gonna bear with me a little bit. I'm in for the long haul. Let's go. let's just sort of start with the big one. What's some of the coolest things or one of the coolest things that you're working on right now at Fortified?

Dan Dodson: First of all, I appreciate the question. I think there's two key things that we're doing. One is, a couple years ago we brought our central command platform, which, we believe revolutionize is the way that our organization interacts with our clients. We continue to invest in that platform.

We're bringing more service capabilities third party risk. We're migrating our clients right now. That's a new module. So we're excited about that. Continued innovation as we allow organizations to manage risk across the continuum. So that's one area we're really excited about. And then the [00:02:00] second is in May we opened our executive briefing center.

So this is the first healthcare dedicated cyber briefing center. It's it's at our HQ in Nashville. And we've had a client or prospect there every single week we opened it except the week of July 4th which has been fantastic. And, the coolest thing for me, Drex, is, there's all these.

Experiences, whether you're visiting our threat defense center or we're talking about your strategy in the briefing center. But the coolest thing that's come out of it is, a lot of these cyber teams at healthcare organizations don't ever have a time to get together, even as a team and think more more broadly. And so the connections we've seen, even like within the clients thinking about their strategy, connecting dots between maybe the CISO and the director or the manager, and seeing that team interact. That's really cool for me, to be honest. So

Drex DeFord: You're bringing these guys in and actually they're having some time to think strategically instead of the fire of the day.

Dan Dodson: That's right. And so seeing those teams come together has been really cool. We've celebrated [00:03:00] the successes that they've had a part of their program, separate from fortified things that they're doing really well. We talk about areas that they might be able to improve in.

But seeing Seeing that team dynamic come together, and I think it's a couple things. Drex, it's this physical separation, so we're getting you out of the day to day. For four or five hours. And then we're facilitating this conversation about a programmatic approach. And think it's adding a lot of value to organizations and I've loved seeing those connections be made.

Drex DeFord: So, you get to come to Nashville, that's obviously an upside. me more about what does a typical visit look like? How long do people stay? What are the activities that they participate in while they're there?

Dan Dodson: Yeah, so there's two experiences, if you will, that you can kind of go through.

So one is you come in Nashville. Typically in the morning, we spend time in the afternoon we go to dinner. You spend time the next day and you go home. So it's called two days. Is typical. And in the first day we talk about the market. We certainly talk about ai. We talk about things that we're all feeling as a health care ecosystem.

party risk comes up a lot in that [00:04:00] discussion. And then we have this methodology that we've come up with based on the N 2.0 framework, but it's very simplified. And so we walk organizations through where they stack up in each of these different areas of their cyber program.

There's 60 of them. If they're a risk assessment client, we preload our point of view. it's a new prospect, we kind of just go, you know, element by element through that. And what that ends up doing is it creates a debate with the client and our experts. On is it really strong? What's the likelihood and impact?

So we're talking about real risk, we're talking about that. And so the output to the client is they leave with an understanding of where are some of the areas that we need to continue to do what we're doing? Where are some of the areas that we can, maybe sharpen up and begins to build this programmatic approach.

So that's one experience that happens. Then the second is can come in, you can see the threat defense center. It's got the big screens and the maps and all the alerts and all the threat feeds that we're looking at. But what's really cool is then we show you inside of the MSSP, we show you what our [00:05:00] analysts do.

We show you the experience, how we work in the central command platform. Hmm. Oftentimes clients don't understand exactly what happens between the data we ingest and the alert that they get. Like, what are we actually doing? And so I

Drex DeFord: love how you're feathering these things together so that they better understand.

Yeah,

Dan Dodson: absolutely. And so, I think that builds trust. It brings visibility em a concrete deliverable. it's been really successful. We're excited about it.

Drex DeFord: Nice. We of course we can't we can't kind of proceed through any kind of interview unless we talk about ai. Right now. What are you guys seeing out there as far as AI and cybersecurity and the way that health systems are using AI now and the risks that it creates?

Dan Dodson: look AI's here, it's here to stay Drex. I think that the third parties at healthcare organizations that they partner with, they're using it. I think we'd be naive to think that the clinicians aren't using it. They're using it. I hosted a little round table in Dallas yesterday, and there were three or four vendors that that, that were mentioned I'd never even heard of.

So I think like the speed of capability is just [00:06:00] faster than anybody has ever been able to comprehend. the vendors were vendors that physicians were using within those organizations, right? To coordinate clinical care, to do research outside of what the health system's providing. So it's here to stay.

We talked to clients about, what kind of governance they wanna put around that, right? Are you using Microsoft copilot? Are you using some of the stuff that Epic's doing? How are we doing it responsibly? But we gotta figure out a way. Our view is to kind of keep the human in the loop, right?

So as we think about maybe they can help aid in the decision making process. They can comb through lots of data, provide recommendations, but we still need, whether it's a SOC analyst or a clinician, to be the final person that says, Hey, here's the safeguard in the system of, yeah, that's great.

Lemme go do this. I think keeping the human in the loop. Is really an important part of that process.

Drex DeFord: A hundred percent totally with you. We're not at the point yet that we can completely just pull the trigger and let it go. There's gotta be a human fail safe in there.

You have a podcast now. I actually really like [00:07:00] it. You're doing a great job with it. You had Steven Ramirez recently. He's one of I did, yes. One of my favorite guys. Yeah. Yeah. How's it going? Well, tell us about the podcast and Cyber Survivor, the name of it. Tell us about the podcast and what you're doing with it.

Dan Dodson: Well, first of all, thank you for the compliments. I really appreciate that. One of the things that we're trying to do with Cyber Survivor is. Look across the healthcare ecosystem of all of the individuals that have been either close to or experienced a cyber event. And what are the real impacts that has from a human perspective?

Yeah. Right. So as we think about all of these non-cyber macro trends facing healthcare, whether that's financial pressures or nursing shortages or whatever, those are what people feel on a day-to-day basis. And then boom, you're faced with a cyber event. Mm-hmm. So how do you respond to it? What's the impact on the floor to the patient, to the clinician?

So. The thought process is to get people that have survived a cyber event, have lived through it. gonna have some CEOs on there, some CNOs on there, certainly some IT experts. [00:08:00] So our idea is let's share that with the ecosystem so we can be better prepared. How do we recover what could it might look like and what ultimately is the patient because. At the end of the day, Drex, we're all patients, right?

And we're in this business because we care about supporting organizations to deliver care in communities. so how can we learn from that? And it's been a fun adventure. I've had some great guests looking forward to many more episodes.

Drex DeFord: This is all about community, right?

The 2 29 project effort is kind of in the same bucket. How do we create a situation where you can find people you can lean on and learn from. And so anything that we can do to help share those stories make people who are behind accelerate faster. Give the opportunity for those who are ahead to be able to teach the people who are behind how to accelerate faster. It's really great. So thanks for doing that. It's a good show if you haven't seen it, where do they find it?

Dan Dodson: It's on all the major podcast platforms. It's called Cyber Survivor. Appreciate you bringing that up, Drex and hopefully people will check it out and would love feedback on that.

Or if you know any guests or [00:09:00] anybody has anything that they wanna come on and tell their story, we'd love to have 'em.

Drex DeFord: we talked just very briefly there. You mentioned also some of the pressures that are going on in the market right now. Big, beautiful Bill just passed. And if you are like I am and you're out there a lot.

You are hearing the stress that people are feeling from the concerns around Medicare, medicaid cuts and other things that are in the bill. What, What are you hearing out there?

Dan Dodson: Yeah, I think there's a broad sense of concern. I think that funding, as you mentioned, there's also state cuts that impact that based on what state you're in.

Financial pressures are not a new thing in healthcare. We've always operated grocery store margins, if you will. think what that means for us Drex is. Every dollar that we move to cyber is a dollar. We're moving away from the bedside. So let's be real smart about that.

And programmatic about dollars that we're deploying. Are they really reducing the risk? Are we operationalizing around that risk? Oftentimes organizations say, well, I don't have any more budget or, I've gotta cut my budget. [00:10:00] And then when we start digging into it, they're spending more in cybersecurity than they may have once thought of.

They've added a tool or a program every year for the last three or four years, those dollars have added up into their opex. And so how do we make sure that where they're deploying that capital, it's actually lowering the risk that they set out, to lower, you know, call it three, four years ago.

And so a lot of programmatic approach conversations that we're having tool rationalization is a subcategory of that. I think most organizations are positioning themselves that there will be some impact. So how do we get ahead of that? And start thinking about the way that we're deploying capital

in cybersecurity.

Drex DeFord: Because everything's connected to everything else. Infrastructure, tools and other compliance tools, other things that they don't necessarily have in their cybersecurity budget. you start looking at this holistically, you find out maybe you have more things that you can think about, work with app rationalization and that kind of stuff too.

Dan Dodson: absolutely. I think that's exactly right and I also think that, one of the things that's a challenge for the [00:11:00] market is, if I spend, a little bit of money with 10 different vendors, and then I look back and I'm frustrated as the client because I don't have a real partnership.

Speaker 3: Well

Dan Dodson: we put the other side of that hat on. It's hard for the service providers or the technology providers to go deep in a relationship if they're only getting one 10th of the opportunity to build out a program with you. Yeah. Yeah. So we take a lot more consolidation in that area I think is important.

Drex DeFord: Yeah. Partnerships are, are incredible. Here's something else that you guys do that I really get a kick out of. Because it's super easy to consume and it's super easy for everybody in the organization to consume, and that's the midyear Horizon report that just came out. Tons of great information in there.

Your team is doing incredible work when they sort of pull that stuff together from a lot of different resources. What were some of the findings? Gimme a couple of the big things that are, that are going on that you talk about in the report.

Dan Dodson: Yeah. So, first of all, thanks for bringing that up. We really enjoy putting the Horizon report together.

The team's done [00:12:00] a great job pulling information and working with clients to get their perspectives as well. As we think about what's important in the broad market specifically to this mid-year horizon report, there's a couple of key things. One is. There has been progress drex. I mean, there's a lot of conversations about, how breaches have increased and how, there's more to do.

Well, that's never gonna end, right? There's always gonna be more to do, but we've made some progress. So we cover that in the report. We're seeing a lot of organizations that have. have increased governance. We're seeing more. It's not enough. We're seeing more buy-in from boards. We're seeing more conversations across the C-suite.

Let's celebrate some of that progress that we've made. Right? A lot of organizations are doing an annual risk assessment or risk analysis. That's great. That's progress. I think where the struggle is on the other side of the coin is how are we taking that corrective action plan, putting it into a program, addressing the risk.

Not getting distracted by other things that are happening within the health system. So there's progress, there's opportunity. We talk a little bit about that. We talk about AI specifically in the context of the security operation center and how can we bolster our ability to [00:13:00] respond sure that we're keeping a human in the loop as we talked about earlier.

So we covered a little bit about that. then there's the last thing we talk about that I would highlight is community. I mean, you guys do a great job. Creating a community, we kind of have this internal drumbeat that we think about, which is the bad guys are talking all the time.

How do we create a forum, a platform, a gathering for them to do that? Horizon Report is a piece that can help drive conversation towards that. We also host monthly round tables 75 to a hundred people coming together, Chatham House rules, talking about what's happening in their organization.

been doing that for years, since 2020. That's fabulous. So I just encourage people to find a community to plug in, whether it's, the 2, 2, 9 or local, isac, whatever it might be. Like, get involved and learn from other people. 'Cause our adversaries are doing it. So let's all be stronger together.

Drex DeFord: And it's unbelievable how much the bad guys really do collaborate. they run that part of the dark web, that part of the world. They are so interconnected. They use each other as subcontractors, the way that they they learn [00:14:00] and teach each other. Yes, we could definitely pick up a lot from the bad guys.

Yes. And I'm glad you're doing the stuff you're doing. Thanks for the Horizon report. Where, Where do people get that?

Dan Dodson: It's available you can find it on our LinkedIn page, you can find it on our website. Feel free to email me. I'm happy to get you a copy of it as well.

Drex DeFord: Great.

Perfect. Here's a, well, a couple lightning round questions. If you had a magic wand and you could change one thing about the healthcare industry's approach to cybersecurity, what would it be?

Dan Dodson: I would've gone back into the high tech era as we started to really digitize healthcare and have more cyber focus at the beginning, so to speak.

Probably the midpoint, but of the rapid digitization. That's one thing that I would change.

Drex DeFord: Yeah. I'm with you. I think when we did ARRA and meaningful use and we started fielding electronic health records, we missed two big things. One was interoperability, the other one was cybersecurity, just didn't really.

Spend a lot of time thinking about that. Hey, what's one cyber myth you'd love to debunk?

Speaker 3: that's a hard one. Take a pass on that one. Yeah, that's a good one.

Dan Dodson: I don't know if this is a myth, but [00:15:00] there's a lot of good people out there trying to do the right stuff. Drex, yes. I think that there's often a lot of publicity when x, y, Z system is down or this vendor's down or this, but behind that is a team of people that are trying their hardest, working with the best tools they can do, putting programs together.

And I think sometimes we lose sight of that I think is important recognize that we got a lot of good people doing a lot of stuff. One and then two is funding's a big issue. Drex, I mean, a lot of these hospitals wanna do more. It's just we're in the, confines of what we have.

And so they're doing the best they can with what they've got. That's right.

Drex DeFord: That's right. Yeah. Yeah. Boy, I'll tell you that, that's a great answer to that question. Great people working their guts out, doing their very best, trying to protect patients and families. Sometimes they get caught up in a cyber breach.

It's not because they're not trying, it's usually just because something happened. They got caught. If you weren't doing this, what would you be doing?

Dan Dodson: Oh gosh. I love what I do. Drax. That's a hard question. You do, I I don't that one I [00:16:00] don't have a good answer for. I look, I love what I love what I do every day.

I love what the people I get to work with. I think the best thing about being in healthcare industry is we got the best people that care about a good mission, which is to protect patients. I see and hear that every day, so I love that. I'd probably play a little bit more golf.

That's probably not a really cool answer, but maybe I do that a little bit more.

Drex DeFord: Maybe you go on the tour.

Dan Dodson: Yeah, there you go. I'm a long, I'm a long way from being Scotty Scheffler, but yeah,

Drex DeFord: Hey, I really appreciate you being on the show today. It's it's always fun to talk to you and I'm looking forward to hopefully our paths cross sometime soon.

Dan Dodson: absolutely. And thank you so much for having me and honestly Drex, thanks for what you guys were doing. I feel the sense of community that you guys are building. I'm happy to be a part of it and keep going. So thanks for this time today and for all that you guys are doing.

Drex DeFord: Thank you.

Thanks for listening to this Interview in Action episode. If you found value in it, share it with a peer. It's a great chance to discuss the issues and in some cases start a mentoring relationship. One way you can support the show is to subscribe and leave us a rating. [00:17:00] If you can do that, that'd be great.

Thanks for listening. That's all for now.