This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[00:00:00] Today's episode is brought to you by Censinet, healthcare Organizations face Mounting enterprise and third party cybersecurity risks across vendors, applications, patient data, and medical devices. The CIT risk ops platform is the only cloud-based risk exchange. That's purpose built for healthcare, connecting hundreds of hospitals and health systems, and more than 50,000 vendors and products.

Take the risk out of healthcare with Cincinnati's collaborative and community-led network. Learn more at this week, health.com/censinet. .

I'm Bill Russell, creator of this Week Health, where our mission is to transform healthcare, one connection at a time. This is an executive interview on the keynote channel.

Quick powerful Conversations with Leaders Driving Change. So let's get started.

Bill Russell: All right. It's, an executive interview and I'm excited. Today I'm joined by Ed Gaudet [00:01:00] Ed is the are you the founder?

You're the CEO of CEO and founder. CEO and founder of Sensenet. Yeah. That's exciting. We could spend the whole time just talking about that. What's it like founding a startup in healthcare? It's pretty easy, isn't it? No it's, it's one of the hardest. You did you go the fundraising route?

In raised funds. I did. Along the wall. Yeah. Oh, you did? Yeah, I did.

Ed Gaudet: I was cordially commanded to go back to work by my wife who wanted me out of retirement 'cause I was causing trouble. I think we talked about this earlier. We got, I was following these guys around again, you know, eight acting 18 years old.

Oh man. Having a good time. I'm an options trader. I was trading stock and I was writing a couple of screenplays and she was like, I can't, you can't do this. Sit at the kitchen table like this. You've been on the road for, you know, all of our marriage and now you're home and I don't know what to do with you and you're causing trouble.

And

Bill Russell: I just talked to somebody about that. I did one year where I traveled 42 weeks in one year [00:02:00] for doing consulting. And then the following year I think I followed that up with like 30 some odd weeks. And my wife is a saint. It's amazing. I mean, because that's really difficult, especially raising kids and stuff.

And I remember the following year, I started really focusing in on the local market, and I was home a lot more. And she'll be the first to tell you, she's like, that was a significant adjustment for our marriage. Like, not having you around was an adjustment, but it was probably an easier adjustment than having you around.

Ed Gaudet: Even the kids at that point don't really want you around. They've gotten used to, they used to call me the bank. Oh, the bank is home. Like, wait. Who are you talking about? Is that me?

Bill Russell: That's like, man,

Ed Gaudet: I was 200 plus nights out last three years at Imprivado.

Bill Russell: What does it take to be successful as a healthcare IT startup? It's, I would imagine, well, clearly you have to have a good offering that the market needs. I mean, is that where you started? You're like, Hey, we identify, yeah, you have to solve problem. Third party risk is a significant issue and you wanna get in [00:03:00] there.

Ed Gaudet: Yeah. And from the vendor side, I had experienced it coming outta imprivata. You know, my team ended up marshaling a lot of these. SRAs, these risk assessments through the process. And I would always say if you saw one, they were all different. You could never really get leverage. I kept coming back to this term leverage and I reached out to a dozen or so providers I had relationships with and they also had difficulty with the process and so we set out to, to redefine risk management in a way.

Was community led and community leveraged. And so we built this network of providers and their ecosystem of third parties to facilitate risk. Our vision is to take risk outta healthcare

Bill Russell: Bill. Yep. And you really have a double-sided market. Right? We do not only helps the vendor a true double-sided market, not marketing speak, it's actually a true double-sided market.

Right. Right. I mean, because. As a CIO, it would benefit me because you had already vetted the That's right. Other vendors, and if I'm following the same methodology and the same approach, essentially they're. 90, [00:04:00] 95% pre-vetted before I go down the path with them, I would assume.

Yeah. The other thing that we innovated

Ed Gaudet: on was the process and the workflows, and so we purpose built everything for healthcare. We worked with customers to define those workflows that were manually done, and we automated them on the platform and did it in a way that, again, gave you leverage so you weren't just getting another.

Canvas to customize, to take your process. That probably wasn't great anyway. That's why you needed technology and jam a process that needed to change into a piece of technology. So we come to the market with is purpose-built workflows, specifically designed with our customers and designed for healthcare, not for horizontal, every other industry.

And then you customize around that, but specifically

Bill Russell: for healthcare. So, is it harder getting it off the ground or is it harder to scale it?

Ed Gaudet: There are different problems. Getting a network based solution [00:05:00] off the ground was difficult. I'd never done one. In my career, I've done 11 companies, everything from build development tools, QA automation, middleware for distributed computing to deploy database performance, service level management through cybersecurity to protect.

Using data protection tools enterprise rights management authentication, identity access management, secure communications, and then risk management. And this problem of building a risk management network is very different. The first problem you have to solve is what side do you subsidize and what side do you monetize?

Because the first question. A paying customer will ask you is, well, how many are on the other side?

Bill Russell: And

The answer is

Ed Gaudet: zero, not, yeah. The answer is like, two, right? Myself and somebody else. And so you have to figure out strategies to ratchet up the network over time as you're building out your customer base.

It's really hard to do.

Bill Russell: then there's plateaus As a business owner, I know this, there's certain plateaus that you hit that you're like, like [00:06:00] what, how do we, how do we push past this number or how do we push past this density of our network to the larger. Getting

Ed Gaudet: to that first million dollars is hard in a RR.

Getting to that $5 million in ARR is hard. And then getting past the 10 and then getting from 10 to 20, those are sort of the milestones that we're scale and really understanding how to scale is so important, so critical.

Bill Russell: And and so, I put you in the category of one of the best. Marketers in the industry.

I know you give a lot of credit to your brother, but you have the the logo there. You do the Risk Never Sleeps podcast. And we talked about this before. Somebody came to us, said, oh, Ed's competing with you. I'm like. There's no competition in podcasting. I mean, we're No, we're all serving different markets and we're all doing stuff and I love the stuff you're doing and I love your approach to did you see it as marketing or did you see it as more like just connecting with your clients and having conversations?

Ed Gaudet: Yeah, it was more looking at the overall [00:07:00] strategy of building out that community, building out the network, and what can I do? So I have a profit and a philanthropic mission, right? So I obviously want to grow the business. I want it to be profitable, but I also want to give back to the community.

And I feel like vendors should have a balanced view of that type of mission strategy because we serve alongside our customers and everyone in healthcare. This is What I love about healthcare the most is that shared mission, that you don't have in any other industry, bill, like no mission, no margin, no mission.

Like if we can't help our customers achieve protection goals, cybersecurity goals, reduce risk, and do it economically. I mean, I'm focused on technology solving problems through technology, but really driving down economics of the solution, creating super significant efficiencies and effectiveness at scale for organizations that have so much risk inherently in [00:08:00] them.

Bill Russell: We do the CISO round tables and the I can almost tell you what the conversations are gonna be. 'cause one of the things we say is, you know, what's a proper challenge that you're dealing with? And then they talk amongst themselves around those problems. Third party risk is always number one or two.

third party risk is a really challenging problem for these health systems to get their arm around. It's like you it's not quite whack-a-mole, but I think what it requires is something we're unwilling to do, which is to essentially say, if third parties don't meet this criteria, we're walking away.

And we're unwilling to do that and say, look we've gotta find secure partners. We gotta find partners that are serious about their security posture and hygiene and all those things. Or we can't do business with you 'cause we can't give you the data.

Ed Gaudet: I thought long and hard about this problem.

And healthcare leaders need to approach third party risk and risk management in general the same way they approach clinical care and it can't be a one and done, it can't be a certificate [00:09:00] only approach. It has to be an approach That is led through transformation. The transformation doesn't happen through technology, it happens through leadership.

Barry Chakin just wrote this nice piece on LinkedIn and he mentioned that I love that technology does not create transformation. Leadership does, and everyone pushes third party risk down to, you know, to directors of IT or risk management, and. Those are the folks that do the work and it needs to go there, but it needs a level of vision and strategy and transformation because it's different than what we've been doing 20 years ago.

It needs to be different than what we've been doing 20 years ago. It can't be a checkbox certificate any longer and I think they always lean on those. Well, I got a SOC 2. Well, that's great. By the time the SOC 2's published, it's already outta date.

The technology's probably been through four or five revisions already, or updates. What are you doing with the inventory that you currently have as those vendors and products are being AI [00:10:00] enabled? If you're waiting for the next SOC 2. in Two years to get done. You're already at risk and it's not one or two vendors.

It's exponential. I would say 80% of the vendors right now in healthcare that have been part of the inventory for the last couple years are AI enabled in some way, and healthcare leaders don't even know about it. They're looking at the new things that are coming in the door, which you have to do. It's necessary, but it's not sufficient.

We're just scratching the surface of the problem, in my opinion.

Bill Russell: I want to go in two directions here. One is I want to ask you about budgets, and then the second is I want to ask Yeah. About AI Are we funding in healthcare, a, this is too broad of a question, but are we funding cybersecurity and privacy and security well enough in our health systems?

I mean, and what is well enough?

Ed Gaudet: Yeah it's a great question and it's never simple and everybody wants more budget. Everybody wants more than 6% of the IT budget to go [00:11:00] to. I realize that's what I was asking the question.

Bill Russell: The answer is always you have more. Just give us more we'll of it. But yeah and it

Ed Gaudet: may not be more, it may actually be less.

Most people look at one thing when they're trying to solve a problem, but everyone talks about the holy trinity of it. People process technology, but then in practice. When you actually have to go and implement technology, people are pushing their old process. If the technology is not informing the process in a way that actually drives new outcomes, that drives mission critical outcomes, that drives the ability to keep your systems up.

Forget about breaches, I worry about shutting the system down, diverting care to another hospital that might be stepping off. Right? That's what we saw

Bill Russell: last year. I mean, that was serious.

Ed Gaudet: No, that's right. That's right. And we've set up all these artificial constraints, like for example, change health happened because quite frankly, for a number of reasons, number one.

I remember being at VIVE and I remember when a handful of customers that, you know, came [00:12:00] by and were talking about it because it happened during VIVE, and they're like, yeah, we're good. We don't have a problem. We don't use those products. Three days later they're like, oh my God, we use those products. We had no idea we use those products.

Right. It's a huge clearinghouse. It became this clearinghouse that was acquired. Year after year with all of these products in these third parties in supply chain, right? Became constrained, became consolidated. Consolidation is a risk. Many CIOs will say one of my strategies is consolidation. Okay, that's great, but guess what?

You're creating risk in your business by consolidating too. You can't just look at consolidation as an economic benefit. You also have to look at it. In the context of the risk you're creating in your organization. Many of the change health issues were because they signed exclusivity clauses with change and they couldn't build a resiliency or continuity plan that lined up alternative solutions.

In the event we had a change debacle, [00:13:00] which is what we ended up with.

Bill Russell: Well, the interesting thing about change is that the event happens. It's much more broad than we had anticipated. Yeah. Then we say, okay here's what we identified. We identified that we had a essentially a single point of failure around this clearinghouse, if you will.

And you know, a couple months later, I'm just talking to a couple CIOs. I'm like are there any more of these that we haven't identified? And they sort of looked at me like, that's a good question. I'm like, yeah, that's right. That's a good question. Like. if I were a CEO or a board member, that's the first question I would've asked.

The CIO I'm like, exactly. Well, and I'm not even sure. It's just the CIOI would've asked that question too. I would've asked the COO like, Hey what other things? 'cause that's a business risk

Ed Gaudet: it's a business risk. It's a clinical risk. And it goes back to my point that cyber security.

GRC, whatever you want to call it, has gotta be thought about strategically the same [00:14:00] way you thought about your clinical adoption, your EMR adoption, right? And you have to look at it with fresh eyes. if you look at it with a you know. With what we've done in the past, right? It comes back to a very tactical, very technical problem.

And if you live in that world, you're never gonna get past yourself. You're always gonna stay in that world. To your point, the way to, to identify the next change health is to understand all of your business processes. Which ones are critical functions in your industry, and then have all of your vendors and all of your products mapped to those so that continually, as things change, you stay on top of it.

And that's what we've added, that's what we've added as part of our solution, is we take a business processing critical function approach to risk. We look at vendors and products in the context of that ontology. Of business processes. 'cause every business process today is supported [00:15:00] by some type of technology, whether it's a SaaS application, a medical device, a combination of a couple of different things.

But it's largely technology based. We live and die based on the technology that's in place today, and we're still taking risk-based approaches that are 20 years old. what needs to modernize? Leadership. Leadership has to change the way they think about risk management, change the way they think about cybersecurity, and they need to think about it transformatively.

They need to take a step back and say, this isn't about vulnerability management. This is about clinical continuity and business resiliency. How do we get to a place where we can look at any point in time our business processes, our critical functions being if it goes down, we stop delivering care.

If it goes down, patient's lives are at risk. If it goes down our right to operate goes [00:16:00] away. All right, I'm gonna make you, and that was the problem with change, right? Change was a, not only a patient threat, but it was a business threat,

Bill Russell: I'm gonna give you a role play here.

You got me fired up, bill. You got me fired up. I know. I'm gonna make you, I'm gonna make you a CISO for a, this is my favorite use case here. You're now a CISO for a 16 hospital system six and a half billion, $7 billion health system. You're gonna be presenting to the board. Make the business case for security as a differentiator, like you can differentiate our business based on our based on our investments and our security posture over somebody else in healthcare.

Is that a case you would want to try to make?

Ed Gaudet: Yeah I think you can make it, I think you can make it in a way that says, let's take a look at what outcomes we want to drive through security. Let's take a look at what outcomes we wanna drive through all the investments we're making in GRC and cybersecurity and biomed.

Part of the problem is a lot of these are still managed [00:17:00] in silos, so there's duplication of effort, there's leverage. That's not. Taken advantage of, right? Because you've got cybersecurity functions, maybe in cybersecurity under one roof. But what our data shows us, and we do these benchmarks every year, is that it's actually spread out all over the place.

Business continuity and resiliency is in one department. Cybersecurity is in another department, the SOCs, in another department, you've got biomed is managing medical device security, right? And yeah, sure, maybe there's matrixes, maybe there's some conversations that happen, but there's a lot of opportunity to transform that entire view of the world and make it horizontal and so I don't know if I could take out 20 to 30 to 40% of your costs and deliver more coverage.

Through a combination of leadership transformation, policy changes. I mean, to your point earlier, do you know how many companies that I work with? And I'll tell them, okay, [00:18:00] here's our best practices. You wanna achieve these outcomes, we recommend you follow these things. You deviate from these things, you're gonna get different outcomes.

It's fine. Right? You can choose your own path, your own journey. The first thing I say to them is, if you want vendor risk management to work for you. The first thing is make the policy change to require all vendors to go through your process and not deviate. And if they don't go through your process, don't do business with them, period.

Right? And if you did that literally held, you know, to that policy, you'd get compliance. Yeah, that would solve probably 90% of the problems we space in risk management today, because the vendors, there's no teeth, there's no incentive. They're gonna take their time right i'm not saying all vendors don't like this, but there's a lot of friction in the process. There's a lot of noise in the signal today because we are still operating like it's 2005.

Bill Russell: And [00:19:00] that's it's really it took me back to a conversation. It was a couple years ago, but the CIO sitting around the table and we had that conversation

and somebody, one of the CIOs said. Look, we won't even entertain a RFP response unless they agree to this. I said, well, it's really interesting. And by the way, there was disagreement at that, like it, not disagreement, but there was CIOs at the table who were saying, man, I wish we could do that.

Like, I wish I could get leadership to agree to that. But if, you know, if supply chain comes in and says, Hey, no, we've gotta use this vendor. Them saying, we've gotta use this vendor sometimes will trump the following, the procedure and the process, depending on the political clout of the person who's bringing that vendor in.

And Yep. And then hope becomes a strategy.

Ed Gaudet: Hope becomes your strategy. And then when you do have a problem, you have nobody but the blame. Right. And quite frankly, that should be tracked and that should be shared at the board level. Hey here's our appetite, here's [00:20:00] our threshold, and guess what?

We let 20% of our vendors through the process without any risk assessment. Whoa, you did? Yep. Because the business said they needed the product. I guarantee you things would start to change if governance really started to do their jobs. You are saying if there's transparency. Transparency is the enemy of risk.

Bill. It is. It's thank you for setting me up. 'cause I love that statement. It's, oh. Yes. Yeah. And that's the point of the leverage at a network level because you're driving that transparency. Right. And the more transparency you have in any type of system, the less risk you have.

Bill Russell: All right. So you brought up the word transparency and we only got a couple minutes left here. Yeah. AI, to me is one of the least transparent things we've ever done you talk at this chat bot, something happens behind the screen and it like, opens the screen and hands you something back and you're like, Hey, what happened to the stuff I just gave you?

And. Where did the stuff come from that you just, you know, like, how did [00:21:00] you come up with what you just gave back to me? There's an awful lot of risk where you know, there's semantic drift there's all sorts of things that we have just entered into the conversation that weren't there even three years ago.

I'm trying to think what the question is. The question is, are we starting to factor this in? I mean, I just came back from UGM, UGM they announced. I saw that. Yeah. A thousand different things.

Ed Gaudet: Yeah. No, I saw your piece on that too. That, that roundup I was really good. Yeah.

No it's interesting. In, I hearken back to a 30 year, don't hold me accountable to the dates here, but a Microsoft strategy. Secure by design, secure by default. Like if we just start there, every vendor follows that as a strategy, we'd solve 80% of the issues, right now, today, the problem is it's turned on by default and we have AI in our solution.

We secured it by design. We worked with Amazon to get a secure container. Data doesn't leave our environment, [00:22:00] and by default it's turned off. Customers have to opt into all of the capabilities, one of the capabilities, 1, 3, 7, whatever they want, based on use cases. So it should be a use case driven approach to adoption, not because a vendor says all or nothing, or because of a vendor that's already in your environment has slipped it in.

And that's the problem. There's so many vendors right now that are enabling AI I remember when Adobe Acrobat came out, you may have seen this. They first came out with their AI capabilities. They forced you to take it. You couldn't turn it off. I couldn't turn it off, and so I couldn't use it, so I had to de-install it.

I didn't install it off my laptop because it went against our security policy and then Reddit blew up and then they event eventually recanted. So that, just that alone if we held vendors accountable to those two principles. We'd be on our way to solving this problem. There's gonna be hallucination, there's drift, there's bias, there's all [00:23:00] these things that we have to work through.

We need model cards. Right. That's gonna take time. Right, right. But we should start adopting it in a way that's controlled, in a way that manages risk. We still may be taking on more risk than we'd like, but we definitely should be adopting AI And I'm not sure, I mean, I saw your point about. Stay with the existing vendors with ambient listening.

Wait for Epic to

Bill Russell: figure it out. Yeah just be, for those who are listening to this three years from now, it's August 26th, 2025. That's right. And I'm just saying version 1.0 from Epic is usually not something you wanna jump on.

Ed Gaudet: I don't disagree with you. However, I will say this two years into it doesn't mean it's version four for these existing vendors either.

So in some way you could probably go all in with Epic right now and you'd have minimal risk. The longer you wait, the more difficult it's gonna be to change. One of the benefits of an Epic, [00:24:00] which I don't think I read, but I know you know, is the fact that it is in Epic.

Reduces the number of clicks clinicians will ta have to take. By using that capability, it's gonna be integrated in. My first foray into healthcare was imprivado. I'd never done healthcare previously. So, 10 company or nine companies previously, no healthcare, go to Imprivado, do healthcare.

And I remember sitting around the table talking to our customers and they were talking about why they were using the product. And they were talking about in terms of saving help, desk calls, password resets and I said, wait, but you don't use the product. The clinicians use the product. What do they say the problem is?

You know, and they laughed and they rolled their eyes and I'm like no what? But what do they say? Oh, they talk about saving clicks. And I was like, saving clicks. What is that? Never heard it before. What is that Healthcare is so workflow driven, so workflow centric, and so outcome centric.

Why aren't we [00:25:00] taking the same learnings that we've had for the last decade or so through EMR adoption and then applying them to cybersecurity? Why do we trade cybersecurity like an orphan stepchild?

Bill Russell: It's a great question and that's why I'm glad you have your podcast Chris never sleeps. Yeah. So what's the schedule for the podcast coming up?

Do you have, yeah, let me, I, you asked a question

Ed Gaudet: earlier about it and I don't think I answered it, but the reason I did the podcast was because I felt like there was a void in podcast that focused on the people behind the roles. And to me authenticity is really important. It's one of our core values and so.

I wanna get to know the person I don't, I mean, I'm interested in their journey from a technology perspective, their strategic initiatives, all those things that matter to my business that we can map to. But I'm really interested in the person's journey. Why did they get into healthcare? What have they learned?

What's the riskiest thing they've ever done? They're on a desert island. What are the top five albums they'd bring with [00:26:00] 'em?

Bill Russell: What would you bring? What would I bring? Five albums? Yeah. The, you know, that's a great question 'cause it tells you a lot about a person. You know, I am extremely eclectic in my music.

'cause I would, I'd have some Broadway stuff with me. I'd have some eighties rock stuff with me. I had eighties rock Jeff Leppard. I was more a journey and sticks kind of guy. Oh, sticks. Nice grand illusion. It would be all over the place. But, you know, I like Enya.

You know, now people are laughing, but you know, it's no, it is great. What I have to determine is what mood I'm in today, and that's what music I listen to today. It's so funny that

Ed Gaudet: people would comment on it. You can tell what mood Ed's in based on the music he's playing. If he's playing jazz.

Don't go in, don't go

Bill Russell: in, do you do bump? I mean, I wanted to do really cool bumper music for the podcast. It's hard to do. Oh yeah. It is hard to do.

Ed Gaudet: Yeah. What do you, what do you have something? Would you No, I,

Bill Russell: well, no, I went out and [00:27:00] got royalty free stuff and I've been using it for eight years now.

Yeah. But you know, the, there's such, every now and then you listen to one of these, like, real big time podcasts. They must pay the fee to get the ability to use, you know, the clips from, I don't know, like a rush clip or something coming into their stuff. And we can't do any of that stuff that's that's dangerous.

Ed Gaudet: A good friend of mine actually creates his own music. So actually I use a piece of his music in mine. Oh, nice.

Bill Russell: Yeah. And you have your own personal artist for your show? I do, yeah. People have to listen to this Del Piamo. He's great.

Fantastic. That's awesome, ed. It's great to catch up. We will have to do this again. Likewise. Yeah. Looking forward to forward to keeping these conversations going, and appreciate you being a partner this year with this week Health. Yep. See you on the road. Absolutely. Take care.

Thanks for joining us for this executive interview on the keynote channel with me, bill Russell. Every healthcare leader needs a community they can lean on and learn from. [00:28:00] Subscribe at this week, health.com/subscribe and share this conversation with your team. Together we're transforming healthcare.

Thanks for listening. That's all for now.