This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[00:00:00] This episode is brought to you by First Health Advisory. Health IT leaders strengthen and streamline your healthcare system with First Health Advisory. They offer comprehensive cyber risk management, governance and security optimization, and strategic advisory services to enhance patient safety and bolster cyber resilience.

Their expert solutions ensure compliance and boost operational efficiency. Visit ThisWeekHealth. com slash First Health Advisory today and elevate your cyber strategy with First Health Advisory.

Today on Newsday.

you have clinicians that can start to look at what is the clinical impact of this cybersecurity modification of this intervention and really start to bring the clinicians from being our biggest vulnerability to being our biggest asset. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health. where we are dedicated to transforming healthcare, one connection at a [00:01:00] time. Newstay discusses the breaking news in healthcare with industry experts

Now, let's jump right in.

(Main) Welcome to Newsday. I am joined today by Brad Marsh from First Health Advisory, and we're honored to have him as our guest. Brad is the Executive Vice President of Clinical Innovation and Government Health at First Health Advisory, a leading firm dedicated to enhancing cyber resiliency and securing digital transformation in healthcare.

With over 20 years of distinguished service in the U. S. Army, thank you for your service, Brad, his career uniquely bridges tactical air and missile defense and nursing, providing him with a comprehensive perspective on healthcare and cybersecurity. At First Health Advisory, he leverages his extensive experience to advance secure and efficient healthcare solutions. Prioritizing patient safety is a business imperative. Join us as we delve into Brad's journey and explore the critical intersection of healthcare and cybersecurity. Welcome to the show, Brad.

Hey, thank you, Sarah. Thank you very much. to be honest, it was my honor to serve. It's a great country and I appreciate the honor to have served this country. [00:02:00] Let's get at it. We will. And your background is so impressive and so interesting and so much fun. We love that you guys are partners with us.

Before we talk about what's happening in the news, what's happening in your universe? And you've got to have some Oh my gosh, I hope I don't see more of this next year, but we're teeing up to see more of this next year. What are you anticipating as we go into year end and getting ready for 2025?

Really, everybody was watching the political spectrum and we've had the elections and we'll have an inauguration and a peaceful transfer of power, which is one of our hallmarks as a country in the new year. And we really look. to see that bipartisan work in both houses of Congress to be able to move things forward.

And, Senator Warner and Cassidy, bringing forward the bills they have, that was a tipping point. And as I read through and was seeing it pre holidays I recalled back to the work I did when I was still active duty on the Healthcare Industry Cybersecurity Task Force.

And really getting into what we started reading the tea leaves back [00:03:00] in 2016, 2017, we saw that we were going to be under attack. days of the Red Cross protecting our care facilities from attack were over. And we saw that coming on the horizon, and we have just seen 2024, it expounded we saw healthcare system after healthcare system fall, and I think we are going to see more of that I think The thing that gives me hope as we look at this period of thanks and moving now into a period of new horizons as we approach a new year, we are starting to learn from each other's mistakes.

And I really think that's key and important that we start to really look at how did these large and small healthcare systems and subsidiaries fall. What could we have done better? How could we have worked better as an industry? And I really think that we are on the precipice of finally getting [00:04:00] where we need to be headed.

So there's work to be done, but right now we're starting to head towards the right direction. We should not all be doom and gloom. This is not the end of the world. This is one of the hiccups that we have faced along the way. And it is our peers out there, Sarah that really are doing their best.

We should reinforce them and we should give them all the tools and able to That's possible for them so that they can do their job at that tactical level and then really start to look at our overall industry writ large as in the critical infrastructure sector. It really is. I appreciate that the true bipartisanship that you've shared for the Health Care, Cybersecurity, and Resiliency Act of 24.

It's only a couple of weeks old in terms of it being formally introduced. There are five key pieces that really touch on what it means to strengthen cybersecurity within the health care sector. And specifically, whether that's grants and training or the support for the rural providers.

Enhanced [00:05:00] coordination between HHS and CISA, incident response planning and regulatory updates. That's a lot to tackle at once. It's a lot to digest, especially if it's not an area that you're as familiar or comfortable with. When you're thinking about how Advising your clients and working with CISOs and CIOs, et cetera.

Where do you start to unpack this legislation and have it really have a meaningful impact in the places it's meant to protect? So there was a book published 2012, 2013, talking about government and wicked problems. With wicked problems, if you fix one part of it, destabilize three others. And so there can't be.

There can't be the miraculous one pill that solves all your ails. We have to look at this from an entire spectrum. Again I talked about being on the task force and supporting the task force. I supported Dr. Lauren Thompson as a signatory and I helped author a lot of the sections. And when we [00:06:00] specifically look at the training, We have across all of cybersecurity, not just in the healthcare sector, but all of cybersecurity, we are behind in our workforce, much like our clinical workforce.

a nurse, I'm a retired Army nurse.

Have a deficit of nursing. We have a deficit of cybersecurity. And then you add on healthcare

And all of a sudden we're woefully understaffed. And so by encouraging people to go ahead and go get the training, to understand that we have an ability to train others, to develop others, to really bring together formidable force.

We need to have the training available. We need to be able to pay to send people to that training. You spoke about me being in charge of the government health line here at First Health Advisory. I have clinicians that I want to put through similar training to what I received when I received my cyber degree from National Defense [00:07:00] University.

I want to have cyber clinicians. already done this with some of our team members. But you have clinicians that can start to look at what is the clinical impact of this cybersecurity modification of this intervention and really start to bring the clinicians from being our biggest vulnerability to being our biggest censored biggest asset.

That requires upfront money. Hospitals cannot take a nurse off the floor unless they have funds to be able to cover the overtime for another nurse. They don't have the funds to go ahead and pay somebody to go get their CISP, their CHISL. There are any variety of other certifications that are out there in healthcare.

Again, and I focus on that teaching and the grants, but then when you start to look at the rural providers, it is so

Fall into that mind trap that, oh, everybody's like a Kaiser or a Mayo. No, they have dedicated hundreds of man hours of dedicated [00:08:00] dollars to be able to develop this. The flyover states in the middle of our country they have to fight to keep a CISO because They're a small system.

They are no less important than the larger organizations. And really being able to support those rural providers to be able to keep delivering care, we keep the national infrastructure protected by doing that. Again it's a web. If great, I've got grants and training, but if there's nobody here in these rural areas, I won't be able to secure the infrastructure sector.

I'll have a big gaping hole. Guess where the enemy is going to go?

[Mic bleed]

going to go to the hole. When you start to look at that overall enhanced coordination and the incident response, we then start to really see how does it all play together. We used to joke about who you're going to call.

Citing a a movie quote from many years ago that I don't want to have to pay royalties for. So I'm not going to cite, but who you going to [00:09:00] call? And you need to know who to call, when to call, and what you're going to get out of that. And you need to be able to have those tools available.

And then, of course, as we get into the regulatory updates many times we've gone into hospitals, and they're like, oh, we've got our HIPAA here's our certification there. And nowhere in it does it talk about a DMZ. Nowhere in it does it talk about, your SAML authentication. How are you handling your multi factor?

That's not in there. And we do need a rationalization where this kind of falls a little short, because, and it's supposed to, given government structure here in the United States. The states have rights and the federal government has certain responsibilities. And I think that's one of the things that if you have a hospital system that's in a tri state area that serves multiple states, that hospital has to abide by the state regulations and the federal regulations.

And there are times where they're in conflict. And I think that's where this kind of falls short. We do [00:10:00] need a rationalization of the laws to make sure that If they're

achievable,

We need to make sure that we are requiring what really needs

When you mention the incident response planning perspective, especially with having cyber almost executives in the clinical arena, it often is a topic of conversation, whether it's one of our city tour dinners or one of our summits that says, who in the hospital is responsible for continuity of operations when there is a cyber attack, and there's this dialogue that often, to your point IT.

carries the water for the programs, the policies, the infrastructure, etc. And yet what happens on a nursing floor, what happens in an OR suite, what happens in the ED is to a degree up to the clinicians because how they do their job is very specific. To them. And so as you appoint these leaders for these workflow continuity capabilities inside these [00:11:00] organizations, I love what you're talking about because too often, sure, we can focus on getting the systems back up and running in the interim, how does the patient care get handled when systems are down?

. A great point a, not while I was with First Health, but in a previous career, and we'll remain nameless there there was about a 36 hour downtime, and I was working as more of an inpatient nursing information officer, so think of CNIO focused only on the inpatient side, and we were coming out of the 36 hour downtime, I actually had to go to a conference, And my lieutenant was manning the floor and he calls me up and he goes, sir, we have a problem.

They say that the EHR is back up and they're telling us to just start charting again, start using the EHR. But I don't agree with that, sir. And I said you stand your ground. And he had to go into a room with a bunch of senior executives, senior leaders, and say, stop. We can't do this. And what we had to begin to start [00:12:00] to explain to a bunch of different people, both on the IT side and the leadership side is, the second the electronic health record goes down, it begins to lose its intelligence.

Over time, the intelligence level drops drastically. And it's not because there's anything wrong with either of the major providers, that they're great systems, they are very configurable, they have great resiliency, but all electronic health records rely on data entry to keep them current. As the currency gets further and further apart from reality, that therein lies a bigger problem because you'll actually have the electronic health record Recommend things that are not safe.

Sarah, you have not given this medication in the last six hours. You need to give this medication. The EHR is telling you what it knows at that point in time because the data has not been fed back in to say no, everything's fine. They got it during the downtime. The continuity wasn't [00:13:00] there. So when we have this bifurcation of continuity, the lights are on, everything's great, go and use it.

Great, but did you talk about the clinical impact? And I really think that's where having the cyber clinicians, having the informatics folks, having the folks that have been at the bedside, and really pulling them into the conversation. Where are they in the disaster recovery communication plan? We've seen multiple places that went through ransomware.

And the press went immediately to the clinicians at the bedside. And we were hearing terrible stories of things being crazy because nobody had talked to the clinicians. That right there, that's part of crisis management. We need to make sure we have communications. We need to be able to bring everybody in.

I do not think it should be in any one office. I think there should be contributing factors and then the CXO, as you said, CIO, CISO, they [00:14:00] can make the final call, but you have to have that clinical impact. We're in healthcare. That's just what it is. If you wanted to do something else then be in finance, be in another agency, but when you're in healthcare, you have to bring the functional community into the conversation.

And the 36 hour down times. Used to be like the extreme, we do a system upgrade or we would do some kind of a change and it would be overnight for eight hours and everyone's going to hang out and wait for it to be over and catch up. 36 hours, bigger extreme. Now there's this expectation that you can be prepared for 30 days.

of downtime. JCO is recommending it. We've seen it happen this year with other health systems. That's an inordinate amount of time. That's extreme when you think of 30 full days being down and still providing care. How much of that is tied To the ability of a system to have the right planning in place to come up to speed, whereas even today we're seeing an article [00:15:00] about the HHS facing challenges as a lead agency for health care, cybersecurity, specifically the government accountability office and combining with CISA efforts where This bill is just introduced as a combination of those two, and yet those two are having some challenges in really making sure that things are being monitored, that they're being evaluated, and that coordination is occurring.

When we see these things happening, the intent is there, the extremes are out there as well. And what you do in serving the community and bringing things forward, where do you see those pieces actually coming together in a way that makes the clinician, the CISO, the patient, feel safer at the hospital where they receive care?

That's a great point. And said we can't cut out the functionals. We have to have the functionals there, the clinicians. And my personal opinion, HHS has to be involved in this. They are the functional We need the functionals there, the national level because healthcare [00:16:00] is not easy. I just had a discussion with my mom actually, and we were talking about healthcare reimbursement and she was talking about, she's.

of the age of Medicare. And so she's talking about, Oh, I had required to get all this stuff. But when there's a divorce between reimbursement and care, we have gaps and we have misunderstandings that if the patients don't understand it, we have a problem. So somebody is not explaining it.

The person in the middle is the clinician. If the clinician doesn't understand it, we have a problem. Take that analogy and put it into cybersecurity. CISA is great. I've known a deputy leader of CISA, I'm very enthralled with what they've done, their toolboxes, great work, fantastic. If you flip a switch on one of my devices, You could end life sustaining treatment.

There's very few other sectors where that comes into effect. Now, we can talk energy, we can talk about nuclear, we can talk about some others that are close, but mine are directly connected to patients. They are [00:17:00] people. So I do think there needs to be a balance between them, but when you look at the lack of monitoring, ineffective evaluation out of that GAO report, and the coordination challenges, First and foremost, HISAC has been working on this for years, trying to get how do we get machine to machine communication and information sharing.

That's why the ISACs were created. Then we had ISALs pop up, and then we had. In order to be able to share, you need to be able to speak the same language or translate to the same language. You need that Rosetta Stone. Unfortunately, The NIST CSF, which is a great Rosetta Stone, I've taken all of the different scales and tools out there and crosswalked it to the NIST CSF.

So that if I say, hey, can you satisfy this, then I can see in all these other tools what they evaluate to, but not everybody has taken the time to do that. It isn't mandated. If it's not mandated, it's not going to be done, because there are other [00:18:00] things that are mandated that have to be done first. When we look at, the coordination and the sharing, it's a for profit system out there.

There are non profit hospitals, yes. There are critical access hospitals, yes. I'm not bad mouthing anybody here, but I think the most important thing to understand is they will lose, a hospital system can lose commercial clients, patients. If they disclose too early, if they disclose too much they could be opening themselves up.

for significant financial impacts and potential risk increase over time for that sharing. are certain things that the federal government does not share. It's on the classified side. Okay, fine. Let the classified side exist, but we need to make sure that we enhance trust across us. Now, I will tell you, I have seen an improvement since 2017 when we started to see WannaCry, Petya, not Petya.

When that all started, There was a flurry of text messages, of calls, other systems, and people yanking things offline [00:19:00] to make sure that they were protected because we were tied in with England. We were understanding what they were seeing. We were looking at the same kind of traces. We were seeing more machine learning or machine to machine communication.

That has been an improvement. Now what we need to be able to do is we need to take it to the next level. And all due transparency, the GAO will bring in subject matter experts like myself and put us into situations and say what would you do? That evaluation is very controlled and we don't always have all the pictures.

So it's important to remember that this is an evaluation. It is. Federally funded, we need to make sure we take it seriously. But there are some things where, if we implement something, where is that clinical impact? Where are we putting that resource? Are we going to be able to keep taking care of patients, or are we going to have to hire another CISO, or are we going to have to hire some other tech, or are we going to have to buy a new [00:20:00] tool?

Those kinds of things Funds have to move hands. And right now there's not a lot of burning to cite Kotter but there has to be a financial incentive to move forward. And with there being the financial constraints that most of our organizations see, like I literally put as a mantra for 25 to create margin, to like work with our health system leaders to help them figure out ways to increase margin and still be protected enough.

If you are a CISO and a CIO, you're combined in this effort together. And let's just say we are partnered with you as an advisor to help us be safer. If we have the NIST cybersecurity framework in place, if we've evaluated the tools that are available to us from a government perspective, if we've And we're making sure that we're utilizing the right policies, the right involvement, etc.

What level of certainty or security can you share with your board and your C suite and your peers, knowing that there's always going to be a gap [00:21:00] somewhere? What makes it most approachable for you when you think I'm working with this client, they have all the best intentions, they're doing everything right, and something may still happen.

How does that narrative play out in understanding that there's always going to be a gap and what is considered So it's interesting, and this is what I like about being a clinician who is well versed in cybersecurity is, I go to the body. If I give you all your vaccinations and I make sure that you're in relatively good shape and, you're living, eating a healthy diet and everything else, I can roll the dice and say, you have, good odds to be, have long life.

But things happen. Genetics happen. There are things that happen out there. So there is a level of confidence that you have to make boards aware of, where it's look, there is no guarantee in this. It is healthcare, it is cyber security. If you look at cyberspace and really the Internet of Things and all [00:22:00] that as another layer.

Patient, as a living, breathing patient, they will be subjected to random changes, random acts of violence. There's things you can prepare for, but you cannot anticipate everything. What can you

How can you re instill that? So first and foremost, you talk about creating margin.

And I think one of the biggest things that I've seen us do at First Health is when we go in, I've received when I was in the government, vendors coming up all the time saying, I've got this new tool, it's going to help you solve all the world's ails, and by the way, we'll probably solve cancer while we're at it.

And I'm like okay, talk about this. I've watched our team go in and we say, okay, stop. I know you want to acquire this new flashy. You have something that will do the same thing. Let us first rationalize what you've got. Let's get everything operating the way it's supposed to. Let's look for those not needed redundancies.

Redundancies are still necessary. I do want to make sure that's clear, because when we saw with the [00:23:00] CHC attack, everybody used the same point. We created a single point of failure. That created its own issues. So you need strategic redundancies.

What you can do is operationalize what you've got. And then who else is using

If you've got passive listening device to identify your internet of things. and medical things, then who else can be using that data? Can the clinicians use some of the data out of there? Can the IT staff? Can the IS staff? Let's find out how we can maximize what you've already paid for. That's number one.

Then as we start to move into more of briefing the board and preparing everybody, we need to really look at What is your resiliency plan? I've got daughters one of them was like, Oh, I might get sick. I said, Okay, so what happens if you get sick? Walk me through all the steps.

What is gonna happen? I'll probably have a fever and I'll probably have this and I'll probably Being the child of a nurse, by the way, is probably one of the worst things that you could have because they have to go through [00:24:00] the differential diagnosis before they can say they're sick. I feel so bad for my children, I love them dearly.

But, as they sit in and talk to me, and they work through, and they go through the worst case scenario, and then we say, okay, we've done all the preventative. Now, let us prepare for the eventuality that something might occur, and you build plans that are resilient. The visualization I like to give is you can fail like the miracle on the Hudson, or you can fail like the Hindenburg.

The miracle in the Hudson was a failure. The aircraft failed. The pilots were able to land it in one of the most challenging methodologies, and not a life was taken. lost. That's because the pilot was resilient, the plan was resilient, and we were able to implement it and really adapt at the time. So now you look at the Hindenburg, obviously, didn't go so well, went up like a top, and many lives were lost.

How do you want to be seen? Where can you take your any of that additional margin that we got in the first part of our conversation? What [00:25:00] can we do to make it resilient? And so you have to be able to go back to basics. And so for me, and this is where I start drawing on my military experience, we trained for years on a basic thing.

It's called the field manual 7 8. It's not called that anymore, but back when old guys like me were in, It was the infantry tactical manual. Why would you train an air defender, a nurse, on infantry tactics? It's building blocks. It is basic construct. If you can do the basics, if you have a baseline, everybody has a shared vision of what that baseline is.

Now we can go and be resilient. We can mix and match parts of it to be able to continue to work. Take that into healthcare. Where is your downtime plan? Who wrote it? Who signed it? Who read it? Who do you have at your tabletops? That's one of my first things is. Show me your invite list to your tabletops.

And I can guarantee you're probably not going to have, first of all, the biomed [00:26:00] tech, you're not going to have the nurse on the floor. Because as I've watched multiple of these tabletop exercises, They put up the big skull and crossbones with ones and zeros behind it on the screen and, Oh, ransom attack!

And now what are you going to do? And they've got a monitor sitting beside the patient and it's beeping away and they're looking at it and they're doing all this other stuff. My first question is, what makes you think that's working? Yes, this could be a ransomware attack, but what's saying that's not working?

you are using that to make a clinical decision, you better know it's right. And when was the last time anybody checked the blood pressure cuffs? Next time you're in the clinic, look around the room, ask your nurse, ask your med tech, where's the manual blood pressure cuff? And if they don't know the answer, that's a problem, because they need to understand the baseline.

They need to understand, okay, in the event something happens, we know the baseline. So we are going to convert to a manual process. Do they know how to do a drip count on an IV set? You don't need special stuff. You [00:27:00] just need to pull out the little widget on the disk that goes inside the pump. You need to pull it out ever so slightly and use a watch.

How many of them actually carry a watch

these are all things that really go to the clinician's side of knowing the baseline. Because if the leadership has to focus during the downtime on making sure all of the clinicians can keep doing their work, they're not focusing on the reason that the downtime occurred and mitigating

It's full circle. The more that we invest on a unilateral methodology between all of us, and we all understand why we are doing the things we are doing in the downtime prep, in the tabletop exercises, those elements have to be understood at all levels. So that we can allow folks to be focusing on the events that they need to focus on.

And if you assume that, you've got your system buttoned down as protected as it can be. And to your point, which I [00:28:00] loved, how did it happen? So one group can focus on triaging the scenario and the rest can focus on patient care, but it all keeps coming together in the war room and other aspects. Mergers and acquisitions.

are happening at a rapid pace, more so than they ever have before. And that also includes the divestiture component, which I wish got more attention as well, because you might be the one acquiring, but somebody else is divesting that. And they can improve efficiencies from an operational perspective, but major cybersecurity challenges that require careful management.

This was most recently shared by Greg Sieg, who's the CISO at University of Michigan Regional Health Network. And yet something we talk about often in our dinners and our summits and with partners like yourself, because. What is the due diligence required when you bring on a new organization? And how long should that walled garden be up?

Do you have a walled garden in the first place? What's that quarantine space? What [00:29:00] is the integration plan to get things there? When an organization does have a strong cyber security program and they are bringing another organization into their mix, what do you recommend as some of the best practices and perspectives to ensure that you're not inadvertently bringing in a time bomb to your plan and to your organization. I think it goes even a step beyond just mergers and acquisitions. We've got a large electronic healthcare record out there that you can share with community partners. And that means they got the keys to your kingdom and you've got to be careful. You will inherit risk if you do that.

So it's really those external communications or connections that really. are of importance. So it is funny required due diligence, I think is the wording you used and I was like, ah, we get to that word of requirements. Who's establishing said requirements? Is it, yes, there's federal ones, but [00:30:00] really, you are acquiring this entity, or being acquired, everybody has to come to the table, and you have to know what's going on.

So there, has to be open lines of communications, not just at the C suite level. It has to be all the way down to the clinical level. A lot of times I've seen that, hospital systems, they just, wire in and bolt everything together from, the acquired hospital and the parent hospital.

That's not really an enterprise approach. You no longer have a baseline. You no longer have a standard. And now, how can you make sure that If something were to happen, are you Hudson or are you Hindenburg? This again pulls in. If you don't then go down and make sure that everybody is rowing in the same direction, you could be creating churn.

And so when you look at it, it has to be having that open communication channels. At every level, it's like a zipper. We have to make sure it's all coming together. That [00:31:00] cyber security assessment,

assessments, I love assessments, okay, because we need to be able to see first. And this is a terminology that I stole ubiquitously from the 1st Brigade 25th Infantry when I was in Iraq. When we were dealing with the enemy, it was see first, understand first, and act decisively. And , that three steps has stayed with me for quite a long time.

A cybersecurity assessment helps you see first, that just lists it out. Understand first, you need people that operate in the environment. You need people to then say, hey, here's the potential risk. Here's your clinical impact. You will hear that from me religiously. What is the clinical impact of these mitigations that you would need to put in place?

And then act decisively, you have to build out that project plan. There, there's too many out there that will just run an assessment and then go along their merry way. You need to see first, understand first, and act decisively, and really pull it together. If you're choosing to bolt together what is [00:32:00] happening in the downtimes or in your acquired hospital and acquiring hospital, then you will need to make sure that's documented and approved.

If An entity in your organization, whether it is newly acquired or been with you for years, does things in a way that does not work to your mission, vision, your organizational perspective, that's a risk. And you need to accept, transfer, or mitigate that risk. And that's where working with those organizations, you have to be able to really work a pragmatic integration approach.

You have to look at how you can determine which needs to be brought in, which, hey, I understand this is how you've always done it, I understand, we need to change this for this reason, so that this can continue. You can't just give the, you'll change this and walk away. you need to work with the people to get to the hearts and minds.

I have a old captain [00:33:00] now, Lieutenant Colonel, that worked for me years ago and she's hearts, minds, and stomachs. And she'd always walk up with cupcakes. By the way, you ever want to make people happy, walk up with cupcakes. Nurses are great for it. We always make cake. We always make cupcakes, at least in the DoD.

So it's an important way to open lines of communication to say, Hey, look, I'm gonna need you to change this, and here's why. If nurses, doctors, techs, and front desk staff understand the why, of what's going on, they can better embody it. And they can take that building block and say, okay, I need to change this for this reason.

And then really it is that cultural integration. It's culture. Everything's about culture. I got to be a part of the Department of Defense's deployment of MHS Genesis. The new federal electronic health record, it has been a labor of love since 2015 for me. And I got to watch the final site go live in March of this year.

And really, it was seeing the Army, Air Force, and Navy come [00:34:00] together into a single organization, the Defense Health Agency, to deliver care to all of our beneficiaries. That has hit me personally. I was born into the military health system. And will be a part of the military health system and the VA system until I pass away.

And one of the things that we learned is that there was differences in each of those organizations. And we had to account for those and mitigate them and work together and find the best out of all of the organizations to improve. The overall organization. And I think really when you work on that cultural level and you really get down to the brass tacks, General Ronald Place and his brother General Michael Place, both worked hard to really influence the culture of the MHS and the Defense Health Agency.

And seeing them lead that cultural change, that really inspired me to say, Hey it's possible to be done. It's not easy, but get them on board. Work with your clinicians. The more that you're talking with them, the more that you're talking with [00:35:00] the front desk staff, nobody's role is small in this.

We are in a collaborative health record day, where everybody has to contribute to keep the patient safe. And what an amazing perspective that you've shared across the continuum. Everybody's responsibility for

[Keeping the Patient Safe]

safe, whether that is following legislation that's occurring from a bipartisan perspective to where the clinician fits in the whole resiliency aspect, to the front desk registration clerk who's making sure that thoughtfully get into the hospital or the clinic in the first place.

That continuum is something that is always there. front of mind that we're discussing often and grateful that you've been able to join us today to share with our listeners. If I'm a CISO, a CXO clinician listening to today's conversation, I'm going to be scribbling notes and rewinding and going back and forth because I'm going to realize how many aspects of our conversation today need to be front of mind, especially going into a new year, [00:36:00] because if you're always preparing for something that never happens, sometimes you get a little more lackadaisical in the approach, and it's actually time to lean in even more.

Because new administration, because new regulations, because new opportunities coming forward, there's really no better time to be a part of cybersecurity and also a harrowing time as leaders realizing that you're always a step away from something happening. It's do you feel comfortable enough with the protections you have in place to realize that yes, I can and want to receive my care here and I know that my nurse knows where the manual.

Blood pressure cuff is in the room. I'm actually going to go look for it next time I do my checkup. I'm going to say, Hey, where is it? How do you handle this? I usually ask them annoying questions anyway. But really understand their resilience and going forward is going to be key. So thank you for bringing all of those perspectives forward today.

Thank you, and thank you for letting me come here because this is something near and dear to my heart. all of [00:37:00] us are participating in healthcare. Whether we are a patient, whether we are loved ones or patients, whether we're actively delivering care, we're supporting the delivery of care.

All of us have a part to play in this. Every United States citizen, every citizen of the world that has a healthcare system, you are participating. You can choose how you want to be that participant. Active or passive. And I've chosen to be active. And anything you do in your hospital systems or as a patient, you should be practicing at home as well when it comes to cyber preparedness and cyber

[Mic bleed]

Absolutely. We love having First Health Advisory as a partner. Thank you for your insights and time today. And for all of you listening to Newsday, we appreciate you listening as well. That's all for now.

Thanks for listening to Newstay. There's a lot happening in our industry and while Newstay covers interesting stuff, another way to stay informed is by subscribing to our daily insights email, which delivers Expertly curated health IT news straight to your inbox. Sign up at thisweekealth. com slash news.

[00:38:00] Thanks for listening. That's all for now