This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Bill Russell: [00:00:00] Today on the 2 29 podcast.

Anahi Santiago: If we don't do our jobs well, or even if we do our jobs really well, but the threat actors happen to just get it right that one time we could impact patient care.

Bill Russell: My name is Bill Russell. I'm a former health system, CIO, and creator of this Week Health, where our mission is to transform healthcare one connection at a time. Welcome to the 2 29 Podcast where we continue the conversations happening at our events with the leaders who are shaping healthcare.

Let's jump into today's conversation.

Alright. Hey, it's the 2 29 podcast, and this is where we continue the conversations that start at the 2 29 meetings.

And today we're joined by Anahi Santiago. The Chief Information Security Officer at ChristianaCare out of Delaware, are all those things still correct or do they add things to your title or move you around or,

Anahi Santiago: No. I [00:01:00] mean, we're expanding in terms of our coverage. So we're not just Delaware, we're Maryland, we're Pennsylvania, we're moving into New Jersey, but title's the same.

Bill Russell: Wow. You've had a lot of longevity there. You've been there for a while, haven't you?

Anahi Santiago: Over 10 and a half years.

Bill Russell: Wow. Is that the norm for the CISO role these days, or is it less than that?

Anahi Santiago: No, I mean, I think the statistics states that on average a CISO sticks around for about 18 months.

Um, I happen to have two tenure years. I was at Einstein for 10 and a half, and now I'm blowing past that at ChristianaCare with 10 and a half. I'm just lucky that I've worked for two amazing organizations that. Have given me absolutely no reason to want to look elsewhere,

Bill Russell: why do you think there is movement in the CISO role? Do you think it's because of the demand to the role? Do you think it's because people getting promoted out of the role, people moving from organization to organization? I mean, what do you feel or what do you see as you [00:02:00] look around the industry?

Anahi Santiago: There are different types of CISOs. I think that there's a great demand I think that there's some CISOs that just. Hop because they find different, more rewarding opportunities, whether it's financially or different organizations.

I think some come in, they put their mark and then they feel like they need to move on. I do think that there are some that join an organization. With aspirations to make impacts, and then they come across a lack of support for cybersecurity because of competing priorities. And I think that's a big reality, right?

Like I'm lucky to work for an organization that prioritizes cybersecurity. So I don't have a lot of friction when it comes to advancing the program, but I know a lot of CISOs that. Come up against organizations that either don't wanna invest in it, culturally, don't want to adopt it, and [00:03:00] frankly don't in some organizations where it becomes an ethical concern.

Where, you know, an OR organization might want to file an attestation around cybersecurity and put their CISO's signature on it, and the CISO's just not comfortable from a professional liability in doing so. And then I think some are being promoted out of the job. I know it's just those that are moving to be associate CIOs and gain greater responsibilities.

So I think it's a mix of things.

Bill Russell: it's interesting, I was talking to a CIO yesterday who will remain nameless. 'cause they interviewed for another job and I said, well, you know, this is the first time you've interviewed in a while. What struck you? He said. What struck me was the starting salary.

I said, really? Why is that? He goes, well, 'cause I've been at this location for a long time and you know, when they told me what the starting salary was for CIO for a little bit larger, but pretty much a [00:04:00] comparable health system it was significantly more than what he was currently making.

And I said, well, you know, that, that could be for any number of reasons. One is the job market is hard to find. For certain roles. CISO being one of those, it's hard to find that role. Do you think there's a disparity in let's just say that certain health systems recognize the need for really good cybersecurity, recognize the needs to put in a program and pay accordingly to for that, whereas others don't?

Anahi Santiago: I get a lot of calls from recruiters. Although I'm not actively in the job market, I take those calls because I have friends that are in the market and I wanna, you know, I'm a connector. Like if I can help people. And when I talk to these recruiters, I'm actually disappointed at the level of pay that healthcare is commanding for CISOs.

I think in the healthcare industry, and I should say in the healthcare provider [00:05:00] industry CISOs are still woefully underpaid in comparison to other sub-sectors in healthcare. And outside of healthcare.

Bill Russell: I mean, one of the topics I did write down here that I wanna talk to you about is the, you know, the CISO role but mostly about healthcare, healthcare's unique challenges versus other industry challenges. I mean, we talk a lot about how healthcare is unique and has unique challenges and is co complex. It would stand a reason that you need to pay somebody for that complexity to, to manage that complexity and that challenge.

But I want to talk specifically about the differences. What makes being a CISO in healthcare unique and challenging?

Anahi Santiago: Well, let's start with the obvious life safety. If we don't do our jobs well, or even if we do our jobs really well, but the threat actors happen to just get it right that one time we could [00:06:00] impact patient care.

Bill Russell: Well, and we saw that a lot last year, right? I mean, we had significant outages ascension. We had change healthcare. We had a bunch.

Anahi Santiago: Absolutely and you know that leads to emergency room diversions. It leads to canceled surgeries, it leads to oncology patients unable to get their treatment.

I mean, it, it really does have a significant. Patient impact. Even something like change healthcare, which was really, you know, had a financial impact. Patients were showing up in pharmacies and they couldn't get insurance verification and were being turned away and they couldn't get medications. I had a friend who paid $3,000 out of his own pocket to get a life.

Saving medication that he couldn't live without because he couldn't get insurance verification. And so, so that's one big challenge. I also think that as an industry, we have traditionally not been as [00:07:00] mature as other industries in terms of investments in cybersecurity and alignment with the level of technology adoption that healthcare has undertaken over the last.

15 years. That has left our industry with a whole bunch of holes. The shrinking margins aren't helping now. We have to compete more and more now with investments in clinical delivery. And then I would say that the open nature of hospitals, you know, when I first entered into healthcare.

I had a little bit of a panic attack asking myself, what did I get myself into? Because I came from systems and technology where we had a badge couldn't get into the building without going through a security guard. It was a one-to-one ratio at my computer, was my computer. Nobody came into my office. In healthcare you've got patients walking [00:08:00] around floors, you've got mobile carts with computers.

In the hallways, you've got nursing stations with 12 people competing for the same workstation bells ringing, people running around. It's just very difficult to coral. And implement sound security when the dynamics are so fluid. So I think all of those factors contribute to the difficulties.

Bill Russell: And I would point out biomed is really distinct to healthcare and not a small problem to solve.

I mean, because even. You know, a lot of those biomed devices are FDA approved, the FDA approval. You know, you just look at it and go, Hey, can we upgrade the Windows XP on this device? And, you know, take it to something that's a little bit more, I don't know, current than the year 2000 and the responses, well, you can.

But then it's not FDA a approved anymore. Like it has to go through that cycle. Now I know we've made a lot of progress on [00:09:00] that, but back when I was a CIO, it was just I remember we did an inventory, that number of XP devices on the network just shocked me. I'm like, what? I don't even understand where these coming from.

They go, oh, those are all biomed. And they said, don't worry about them. Like, what do you mean?

Anahi Santiago: Yeah, it's interesting because you are right. Biomed devices create a lot of complexity. The certification cycle for FDA is at times longer than the supported operating system cycle for Microsoft. And then because they're FDA certified, it's not like a regular Windows device where if it gets infected, we just either throw it out.

And install a new one or wipe it clean and restore. For backup we actually did a tabletop exercise with Phillips. A few weeks ago to sort of walk through the scenario of what we would have to do to respond to a [00:10:00] ransomware infection when it came to a Phillips medical device and. It's not something that ChristianaCare or any provider can just take on their own.

They have to coordinate all of those recovery processes with the medical device vendor, which creates even more complexities. And if, you know, we were intentional in running through this tabletop exercise, but in my mind I was extrapolating to the fact that out of the 90,000 IP addresses that are connected to our network.

70,000 of those are medical devices. And if I had to go through what I went through in this tabletop exercise with 70,000 other devices and however many manufacturers are associated with those medical devices, like. That recovery time to get our hospital back up and running feels untenable. But the reality of it is that's how challenging it will be in the face of a [00:11:00] massive cyber attack.

Bill Russell: I was talking to somebody yesterday, in fact about their experience with a significant breach that went on at their health system. And one of the points that this person made as I was talking to him was one of the hardest thing was to get the vendors on the phone. I was like, what do you mean?

It's like, well, we ha, first of all, we have a lot of them. And when you have a system-wide. Breach and outage, like you need them all to sort of be at the table. And it wasn't as easy as I thought it was going to be to say, Hey, we're having an outage, and they would provide the right resource.

All that stuff really has to be thought of ahead of time, doesn't it?

Anahi Santiago: In this tabletop exercise, we actually called Philips the support desk. And the person on the other line didn't know that we were running through a tabletop exercise. They reacted as they would, and it was a wonderful experience.

And think Philips patted themselves in the back because it went so [00:12:00] well. But I don't know that every other vendor would've responded. As efficiently as this particular service desk. Individual folks responded

Bill Russell: well and having been in so many other industries, I think just the sheer number of vendors that I found in health.

I remember when I came in, they said, well, I said, well, you know, how many applications are we looking at? They're like instances of applications or applications. I'm like. So well about 1300 applications, about 1900 instances of those applications. Some are, you know, you have three or five instances of the same application at different hospitals.

So I'm looking at it and going, okay, I've been in manufacturing, I've been in banking, I've been, that is application sprawl. That is really not common outside of healthcare. It's amazing how many vendors we have to deal with.

Anahi Santiago: And to your point, one vendor, we could have 10 different systems from that one vendor and [00:13:00] for the very large vendors.

They almost act like separate companies. Like just because I'm dealing with an oncology product for one name vendor, if I move over to a home health product for that same name vendor, they're completely different companies. They don't even talk to each other. And the ecosystem is expanding. I just referenced home health.

Now we are, you know, we used to have medical devices connected to our network. Now we're sending medical devices to patients' homes for remote patient, monitored for hospital, at home programs for virtual care. And so we no longer have to worry about protecting devices that are on our network. We've gotta figure out how to protect those devices when they're on somebody else's home network.

Bill Russell: That's amazing. Hey I'm curious I've only sat through a handful of tabletop exercises. From your perspective what makes a good tabletop exercise? [00:14:00] What do you look for in a good I dunno, somebody who's gonna coordinate a tabletop exercise. What does a good one look like?

Anahi Santiago: I think the good one, so, so I think one of the best tabletop exercises that I have experienced happened recently. A couple months ago, CISA came in and led a tabletop exercise for us, and we had participation from different areas of the organization, operational. I think it has done enough tabletop exercises that we, although we will continue to learn we've gotten pretty good at it.

But our hospitals. Have not gotten really good at understanding how they're going to operate in the face of a ransomware attack. We've got good downtown procedures for a few hours, maybe a day, but not for four to six weeks. And so, in our most recent tabletop, internal tabletop exercise. We [00:15:00] brought in people from home health, from the emergency areas, lab, radiology, operational people that needed to exercise how they were gonna work without technology.

And what really added value to this particular tabletop exercise is we had 13 state, local and federal agencies. At the table participating in the room, physically in the room, participating in this tabletop exercise. And what we learned is that, you know, that the State Department.

The Department of Health for Delaware and Maryland could do the calling to other hospitals. If we needed to divert or even transfer people out of beds our local National Guard could stand up makeshift hospitals in our. Parking lots other local agencies could actually source paper if we run out of paper, because that seems to be what I hear a lot when I talk to my [00:16:00] peers is that they physically run out of paper.

Bill Russell: Yeah, I heard

the same That's wild.

Anahi Santiago: The participation of those. Local and regional agencies in helping us to understand how we could leverage them, I thought was immensely valuable.

So I would encourage everyone to include your local agencies in your tabletop exercises because in the 20 years that I've been doing this, I learned more than I have ever learned.

Bill Russell: we do learn more through the events. Like I, I love talking to people who have gone through a ransomware event and you know, because after you've gone through it, like you could do tabletop after tabletop, but after you've gone through it.

And they say things like, yeah we didn't have the forms. Like we didn't have enough of the forms. Like we, we were down for 30 days. We didn't have enough pens. I was like, really? They're like, yeah, you know, you just you spend so much time on the downtime and recovery procedures and where's the [00:17:00] data and what's the source of data and how do we.

Cle. Like, we spend so much time on that. And I think one of the things that's come up over and over again is something you mentioned, which is who owns the downtime and the most common thing I hear at our meetings is it's spread out. It's spread out. Like you, you would own a piece, but each hospital, even potentially each department in that hospital.

Would own their own downtime procedures. And some of them are advanced and some of them are woefully inadequate. Like they will find out when it actually goes down, like, wow we didn't really think this through. And so that's one of the things I, that I keep hearing is we don't have like a common person.

That is really about business continuity and recovery across the operation, if you will. We have it in it, but we don't have it across the entire operation.

Anahi Santiago: I would a hundred percent agree with you. In fact we now have created what I'm [00:18:00] calling an operational resiliency steer, and we have a programmatic effort in ensuring that our operational capabilities in the face of an attack are aligned with.

You know, the ability to operate without technology, and it is, it's, the steer is comprised of executive leaders across. The organization. So think in terms of the, all of the campus presidents executives in finance and compliance, in materials management, public safety, so on and so forth, and I'm leading that effort.

Even though it's not really a cybersecurity function, but recognizing that it's a really critical need because it's not an, if, it's a when and it's not gonna be a day, it's gonna be weeks. [00:19:00] And I'm finding it to be a huge lift. But one that requires organizational priority and luckily for our organization, we're giving it the priority and resourcing it a appropriately.

But this isn't gonna be a multi-week project. This is gonna be a multi-year program.

Bill Russell: Program. Right. So it's project has a start date and an end date, and a program does not. That's the distinction I make.

Anahi Santiago: Yeah.

Bill Russell: It's just ongoing, constantly updating, constantly looking at the environment. I'm gonna ask you a question.

It's put you in a a situation that you're not currently in or looking to be in, but I think it's valuable because I want to ask you about. Creating a culture of security. But I want to ask it in a different way, and that is if you were interviewing at a new health system and you're interviewing with the leaders, what are you looking to hear from them?

To determine like where they're at in terms of [00:20:00] their maturity, in terms of their willingness to support the CISO in order for their willingness to support a program. what kind of things are you looking to hear from? What kind of things would be red flags do you like? You know, I, if I came on board here I would experience a lot of friction and maybe a pretty uphill battle.

Anahi Santiago: The only reason I interviewed a Christiana was because I wanted to get. Interview practice oh, you

Bill Russell: liar. You interviewed 'cause it's close to the, to, to the Eagles and the Phillies.

That's why you interviewed there.

Anahi Santiago: Well, at the time I was working in at a hospital in North Philadelphia.

Bill Russell: Oh, that's even closer. I'm sorry. I didn't mean to, I didn't mean to accuse you there. I just know your love. Yeah.

Anahi Santiago: And frankly, you know, Christiana like. My current job at the time was a Subway right away.

Christiana was a 45 minute drive down the highway. So I really, I didn't know much about Christiana, but I thought I would just get a practice interview. And during the interview process, I learned that they had a culture that prioritized [00:21:00] cybersecurity, starting with the CEO all the way down. And so I fell in love with the culture and with everything that I heard when it came to their understanding of cybersecurity and their prioritization of cybersecurity. And so that's, you know, if I were to interview at different organizations, that's what I would want to hear.

I would want to hear that they actually understand and want to invest in cybersecurity, even if. What I heard was, we're not there yet, but we wanna get there. That to me, would be an exciting message because it would invigorate me to want to move into an organization that even if they have not adopted it, there's energy around wanting to adopt.

I have interviewed organizations where what I heard was. It's got a really difficult physician population and you're going to have a really difficult time getting them to listen to you. [00:22:00] So how? How are you going to sell it to them?

Bill Russell: Yeah. How are you? It's your job to get these people to do their cybersecurity stuff?

Anahi Santiago: Yes. Like literally I was being interviewed about what my skill sets were going to be to get them to drink the water. And I, after, you know, that one hour interview, I thought, no thank you. I don't want a second interview. I have no interest in working for an organization where. The interview led with that line of questioning and so.

Those are the two polar experiences. I went for one role and I've been there for 10 and a half years because it's been an incredible experience. I'm so thankful that I did not agree to a second interview with the other organization.

Bill Russell: Well, we find that in the in the 2 29 meetings. I've, it's been a while since I've led a CISO meeting.

Drex typically does those, but I the [00:23:00] ones I, I did. I remember there's typically one or two people in the room that you just look at 'em and go, you get, you have to get executive support, like you're going to continue to beat your head against the wall until somebody is hopefully the highest level within the executive team sort of acknowledges it and they said, well, I can't do that.

What's the alternative? I'm like. Have a breach. I mean, seriously, like if you wanna get their attention, have a breach, and then say, this is what we were talking about. I'm like, not cause a breach, but essentially they're not gonna listen if you can't get them to listen based on what's going on in our industry.

The only thing that's gonna get 'em to listen is probably an incident.

Anahi Santiago: But that's unfortunate because if you have a breach, patients suffer. And if you're working for an organization, in my opinion, there are plenty of roles and opportunities out there. If you are working for an organization where you are just fighting uphill, [00:24:00] it's time to consider moving on.

Bill Russell: I really commend you 'cause you're one of the people who says this over and over again.

Security is patient safety. I think it's indicative of how they view patient safety. If they don't prioritize cybersecurity. And you know, I feel for the people who are in that role, but almost the best thing they can do is go somewhere else.

Anahi Santiago: I do think that, you know, and I'm very quick to say, well find another job, but I also think that we have an opportunity to truly align cybersecurity to patient safety.

And it starts with. CISOs and executive leaders , in the organization, understanding what it is that the organization's mission and vision is, and ensuring that we align our cybersecurity programs and our conversations with leaders across the organization with what's important to them so that [00:25:00] perhaps we can.

Ensure that we socialize and create a culture of cybersecurity by understanding what the organization needs to accomplish and ensuring that our conversations are tied to that. And so when I started ChristianaCare, the first thing I did was. Schedule meetings with all of the executive leaders across the organization and my conversation started with, hi, my name's Anna is Santiago, I'm the new says.

So what's important to you? Like what keeps you up at night? What are. Your priorities so that I can understand how to align my cybersecurity program with what's important to the organization. I did not show up at those meetings with, here's why cybersecurity is so important, here's what you need to know.

Because I think that's a non-conversation started and it doesn't help to build relationships. So for me, it was really important to [00:26:00] show up with what's important to you and how can I help you.

Bill Russell: I could definitely see that. So you must be in a pretty good mood 'cause the Phillies, I think are in first place.

And the Eagles look pretty good so far. This year

Anahi Santiago: they just swept the Mets four game series and I was at three out of those four games. So, not only did I show in a good mood, but I'm surprised I'm actually coherent because the last three nights have been very late nights for me.

Bill Russell: How do you feel about the playoff run?

Anahi Santiago: You know, when I first heard that WHEELS was gonna be outta commission I panicked, but then everybody else is stepping up and the, you know, and we picked up Duran, the dur, Angela, and. He's amazing. I mean, 103 mile pitches, a mile, an hour pitches, like, he's just incredible. Last night when he came on the mound, like the whole stadium got just [00:27:00] super excited and I think that's how we all kind of feel moving into the playoffs.

I'm super excited.

Bill Russell: I'm hopeful for you. The the four year NOLA deal I think was a bad deal. I know you guys love Aaron Nola, but he doesn't have four years left in him. But he might have a good playoff run left in him, or, you know, couple games.

Anahi Santiago: . He's been pretty inconsistent you know, coming off of his injury and so I don't know what we're gonna get out Oola.

I'm optimistic, but honestly, like, he's not the player that excites me. I don't have to see Ranger on the mound. Certainly little nervous about him. Little nervous about Walker. Sanchez has been giving us a good showing. It. It just we'll

Bill Russell: see. I, the interesting thing to me is both those programs, the Eagles and the Phillies.

Our it almost feels new England esque at this point. I mean, they're their championship teams every [00:28:00] year. They don't necessarily win, but they're going to be in the playoffs. They're gonna be in the conversation. And I think that started. At the leadership level, I think they have good GMs and good owners in both places.

They're willing to spend money on key talent and and they're not afraid to make hard decisions. I the Eagles was an interesting one to me 'cause they had. Oh, I forget the guy's name who took him to the playoffs and the quarterback, and then they ended up you know, moving him aside for jail and Hertz.

that was one of those decisions that was well, do we, don't we? And they just, they made the decision and clearly you know, Hertz is a great quarterback. And that was the right move. But we forget how difficult those decisions are to make leaders at the time.

Anahi Santiago: So Carson once was our number one quarterback. Right? And it. It's one of those where were you? I remember when, draft night, when the Eagles drafted Hertz and, my husband was down in the man cave watching the draft by himself, and I was actually on [00:29:00] a Zoom call with a whole bunch of other Eagles friends that we traveled together and we were just watching the draft over Zoom and when Hertz got drafted my entire Zoom friend call heard.

The one word that I will not repeat on this call that came from my husband's mouth down in the man came that everybody heard on the Zoom call, and I think that was. The general sense across Eagle fandom at the time, and boy, do we not feel that way anymore. And I think it speaks to, you know, our leadership starting with Howie Roseman, who at one point our owner, sir, put him in a closet and sent him around the world, like demoted him and sent him around the world to study other sports organizations and their leadership and he came back a [00:30:00] different gm and I don't think anybody would second guess anything that he did at this point.

He's a magician.

Bill Russell: it is pretty amazing. And, you know, why do we spend so much time talking about sports? And because the analogies for sports and leading at a health system are pretty clear. From time to time I'll talk to CIOs and they'll say, man I have this problem, this person da.

And I, over the years I've been like, Hey, you know, coach 'em, do this. And I've been, Mr. You know, you can rehab anybody, kind of thing. And I think that is a very valid strategy. More and more recently I've just been like, how much of a problem is this? And if they say it's a big problem, like problems do not get better with age.

Like, and they just look at me like, well, that's pretty harsh. I'm like, well, I'm not in your chair, so I'm not looking at the person, you're just asking me, you know, how to evaluate this thing. And you know, sports team owners have very clear metrics and we all see it, right? It's the score every week, it's the score, and then it's [00:31:00] championships and very clear metrics.

Ours are not nearly as clear. It would be nice if they were as clear so that we could make the decisions we need to make with more clarity. But that's what I take away from sports. Maybe it's a bad thing to take away from sports, but that's, as I sort of look at it I am marveled that the Patriots won six championships.

I'm amazed that the Steelers won four. I'm amazed, you know, I look at those and I go, all right, how did they do that? How did they create a culture over time that won over and over again?

Anahi Santiago: Do you think it's culture you know, sports or. Probably as unpredictable as healthcare, given that , your best player could be taken out with just one roll of an ankle and your season can change.

And you know, the Eagles in 20 17, 20 18 are a great example of that, or a top quarterback goes out. We win the Super Bowl with a backup. And why? Because. The [00:32:00] culture of that team, of that organization enabled us to carry. And I think healthcare is the same way. If you've got a culture of patient safety, of, you know, assuming good intentions, which is one of our core values of always wanting to put the patient first.

You can overcome. Many of the challenges that we're all experiencing, we're experiencing huge challenges right now when it comes to margins and when it comes to uncertainty. But if we have the right level of culture and we can have difficult conversations that allow us to overcome them, then I think we can get ahead of the mountains that are in front of us.

Bill Russell: Yeah. I wanna thank you. Thank you for your time, for I don't know, recovering from last night's game and and joining us here on a Friday morning. Really appreciate you. Thank you

Bill Russell: Thanks for listening to the 2 29 podcast. The best conversations [00:33:00] don't end when the event does. They continue here with our community of healthcare leaders. Join us by subscribing at this week health.com/subscribe.

If you have a conversation, that's too good not to share. Reach out. Also, check out our events on the 2 29 project.com website. Share this episode with a peer. It's how we grow our network, increase our collective knowledge and transform healthcare together. Thanks for listening. That's all for now.