This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

UnHack (the Podcast): Zero Trust and the Identity Perimeter with Mary Dickerson and Gordon Groschl

Drex DeFord: [00:00:00] Today on the UnHack channel with me Drex DeFord

Gordon Groschl: for every bone density analysis that we're doing, it used to take 20 minutes. So now three minutes, that means we're saving 17 minutes that the radiologist and can spend on much more productive and even more important, you know, readings.

Drex DeFord: I'm Drex Deford, president of Cybersecurity and Risk at this Week, health in the 2 29 Project. Our mission is healthcare transformation powered by community. Welcome to UnHack, where we navigate healthcare security challenges together because cyber safety is patient safety.

Let's get started. Hey everyone, it's Drex. Welcome to UNH hacked podcast. Always exciting to have amazing guests with me today.

Today I've got Gordon and Mary. And Gordon, why don't you start, introduce yourself. Tell us a little bit about your background. Yeah,

Gordon Groschl: Drex. Good to see you, Mary. Good to see you again. We saw each other earlier this week. I'm Gordon Groschi, the Chief Information Security [00:01:00] Officer at Dexter Children's.

Also have responsibility over healthcare technology management. That's other organizations called Biomeds, a pretty large team, and been in healthcare now almost 20 years. And before then I was 10 years in telecommunications and a few years in the Austrian military. And I'm excited to be here and chat about cybersecurity.

Drex DeFord: You have one of the coolest backgrounds, and then to hear the story about how you wound up getting into Texas Children's and the work you've done there it's just been nothing short of Awesome. You've actually you were promoted to the CSO role just in the last year or so.

How long has it been.

Gordon Groschl: Yeah, it's now over a year. I think I functionally have been fulfilling that role. And so they finally slept on the acronym,

Drex DeFord: time flies when you're having fun. It has been over a year. Yes. Hi Mary. Why don't you introduce yourself or everyone who's listening.

Mary Dickerson: Great, thanks.

I am Mary Dickerson. I am the Chief Information Security Officer for UT Health Houston. UT Health Houston is [00:02:00] an institution that has over 150 clinics, but then we also have an academic and a research mission that we execute through seven different schools. Everything from a medical school to a dental school to a.

School of behavioral health and sciences, and we also have a school of biomedical informatics. So we have everything that ranges throughout healthcare and again, on the academic and research side as well. I've been at UT Health Houston for three years. Before that I was 25 years at the University of Houston system, where they also have academics and research and healthcare as their core missions.

However, it's a very different split. So at University of Houston, they do academics and research and Oh yes. They also do healthcare at UT Health Houston. They do healthcare and know, yeah, they also do academics and research. So it's been fun after 25 years in one institution doing a [00:03:00] variety of different roles to now change to UT Health Houston and get to do all of it in a very different and exciting way.

I'm enjoying the experience. I've really enjoyed getting to know Gordon and all the great work that he's doing at Texas Children's. Slightly different missions in what we do but very much. To the same strategy as to how to go about trying to deal with it successfully. So it's been a great partnership, spending time with Gordon and learning from all of his expertise and forging a new adventure of my own.

Hey,

Drex DeFord: Gordon, you have research too, right?

Gordon Groschl: Yes. Yeah. Texas Children actually has a. Pretty I would say elaborate research arm. So we partner with Baylor College of Medicine. Those where we get all of our physicians and so many of the, I would say researchers that work at Texas Children's come from Baylor.

And so close partnership. And we're definitely continue to expand that. We just were awarded at large. A grant, a [00:04:00] multimillion dollar grant related to research. So we're very excited about it. And we invest actually quite a bit of, I would say, technology, energy to truly enable our researchers to, really drive forward pediatric care.

Drex DeFord: When I was at Seattle Children's, we had a research institute too.

One of the biggest challenges I think I ever had was trying to figure out how to operate across the hospital and the research institute. Yeah.

And helping the docs who are in the hospital and also who are researchers, be able to get to one side and the other side and do it simply, I'll start with you, Mary. What's your thinking around that? How do you try to solve that puzzle today?

Mary Dickerson: So we actually have a lot of it integrated within itself.

So we have physicians that are providing clinical services and also doing research at the same time. So our challenge is to make sure that we do have very dedicated spaces for the research to occur in, while at the same [00:05:00] time having that same individual with access on the clinical side as well to. To the service of their patients.

One of our biggest challenges right now is dealing with a lot of the federal and the state mandates that have come down regarding research security and compliance requirements. On those ends, we've always felt the understanding that research needs to be protected. Going to the links that the federal government would like us to go to with respect to foreign influence and things like that, has made it a little bit more challenging to separate the research space from the clinical space when so many of the items are integrated in their concepts.

Drex DeFord: For my time at Seattle Children's. You want that integration to happen, right? That whole, how do we get the research from the bench to the bedside as quickly as possible? Is really important. But, Mary makes a great point about a lot of these research grants come with security requirements that you have to adhere to.

How are you thinking through that [00:06:00] process?

Gordon Groschl: Yeah, what we did, and I think. I'm not saying it solves all the problems, but I think it solves some of our problems. We really we built out a fully compliant public cloud environment for our researchers. It's not like a Lego build kit.

Where they get access to, I would say capabilities. The data is already there. It's all secured and HIPAA compliant and compliant with C FFR 21 prior to 11 and. It allows the researchers then to do their work in that, I would say environment that is completely segregated from our operational environment and play around and, do preparatory research and, come up with look at data that would then lead to any kind of research protocol that they want to execute.

And that really has allowed us to I would say increase the velocity of what's happening in the research space. Make it easier for them rather than what hap what was happening before, which was like every time [00:07:00] a researcher wanted data, they had to go through a front door and ask. And then there's also reviews and approvals.

So I think this was a fundamental shift and using public cloud for that has allowed us to. Really build on a very solid and secure foundation. So they're, you get these guardrails where you say okay, I want my environment to be completely compliant. And it really accelerates the whole process.

Drex DeFord: This idea of building a structure that is. Secure but agile. So you can turn up the volume when there's new requirements. And that implies to things like m and a too. But being able to expand when you need to accommodate what the business, clinical or research leaders needs turns out to be.

Pretty critical.

Gordon Groschl: Yeah. It's super important that you build, I would say pre-approved pathways, almost think about it like blueprints and then you say okay, as long as you are navigating within that blueprint. Things are gonna happen fast, right? If you leave the blueprint, [00:08:00] this is where we need more due diligence, right?

Yeah. More preparation, more work. Everything gets much longer and I think it's a way of helping researchers and motivate them, right? To use the blueprint, the path that you're laying out to them versus going, their own path and everything is unique and special and therefore, have to investigate and risk assessments and security configuration.

Reviews, right? Et cetera. So building those pre approved pathways really helps, I think, accelerate researchers and when it comes to research, every, things move fast, right? And it's a much more dynamic than, let's say, patient care, where it's all about reliability, making sure the services are available, they're up the data has the right level of integrity.

The security is there, but it's all about. Fringe list access and availability in the patient care space. I would agree

Mary Dickerson: with that. I would also say that the key to defining those pathways that make sense [00:09:00] is. Building the relationship between the information security team and those researchers.

So we actually have a team that they go out and individually meet with each researcher to discuss what they're doing, what they want to accomplish, and then we work with them to make sure that. Those pathways, as Gordon described, they are the fast track. They're not, every researcher has a unique snowflake, but we are making sure that as we build those pathways, we're not doing it in a vacuum.

So they want to work with this because we've built something that they agree with, that they understand and that meets their needs. I think one of the big traps that we in the information security world get is. We decide what we think the right answers are and expect that other people are just going to agree with this.

And that's not always the case. But by having that dialogue, by building that relationship, then everybody wins. And I think that's really the key to success, especially in this space. [00:10:00]

Drex DeFord: That's great when you have these conversations, some of them, I didn't mean to make this kind of all about research and the research healthcare delivery system overlap, but we've gone down this road.

So I wanna ask one more question. Mary a lot of these grants, a lot of these research projects extend across multiple institutions too. How do you handle that?

Mary Dickerson: We've had a lot of conversations with the other institutions. Just recently we're doing a collaboration with one of the major hospital systems in the medical center, and we've had direct conversations between their information security team and our team to say, okay.

This is what we're looking at. This is what the research side is saying that they want. What are your feelings on it? And so we come up with an agreement as to how the technology should work, and then we go back to the researchers saying, Hey, this is what we've come up with. Will this work for what you need?

And it's having all of those conversations, which can be very [00:11:00] time intensive. But if you invest the time at the beginning, number one, you avoid a lot of pitfall later, but you also come up with a very workable research collaboration that we've found not only extends in that particular research project space, but it extends to other research projects that they will ultimately decide to do later.

Because when one research collaboration is successful, you get the snowball effect of, oh could we do this and could we do this? And so investing the time upfront to have those conversations, to come up with something that really is workable ends up being a good investment on everybody's part.

Drex DeFord: A couple of good lessons there, I think. Go slow to go fast.

Speaker 4: Yes.

Drex DeFord: Because then you don't have to go back and fix all the things because you went fast. You don't have to deal with that. And the other part, Gordon, is the. Create the path of least resistance make it really easy to do the right thing and make it really difficult to do what turns out maybe to be the [00:12:00] wrong and insecure thing.

Gordon Groschl: Agreed.

Drex DeFord: I wanna ask you another question, break from that and head in another direction. What is one of the coolest projects that you've worked on recently? And, what's the effect that it's had? What's some of the return that it's had?

It's always interesting ask this question because sometimes the answers are all over the place.

Gordon Groschl: That is a great question and I could tell you now all about the wonderful cybersecurity program things that we're doing, but I'll pick something completely different.

One of the coolest things that my team was part of recently is we built a custom. Large language model that assesses or calculates bone density. And so basically it's we're sending basically X-ray images from our Pax environment to a custom a, a trained LLM that then looks at the x-ray image and measures basically the density of your [00:13:00] bone and then returns a result to the radiologist.

And. The cool thing about this is that a radiologist, typically it takes 20 minutes to do that if they do it by hand, right? If they sit there in the dark room on the big screen, right? And if they do and they draw they put this place mark like marks on the x-ray, and then measure it like in all kinds of angles.

It takes roughly 20 minutes per reading. The AI does it in under three. So think about it like for every bone density analysis that we're doing, it used to take 20 minutes. So now three minutes, that means we're saving 17 minutes that the radiologist and can spend on much more productive and even more important, readings.

And we do quite a bit of those. We have one of the largest radiology practices, pediatric practices in the us. And so we do not just see our own x-rays, like from patients that come to Texas Journal, right? We have other hospitals sending us images that we're looking at as well from throughout Texas and [00:14:00] sometimes even beyond.

And that was a really cool project and there was a lot of cybersecurity involved. And it's artificial intelligence, it's large language models, but our data scientists and our AI team, they did a phenomenal job. So it was very exciting.

Drex DeFord: I mean, it's, you know, and it's fairly easy math to do if you're giving them back 17 minutes, times, however many times they're doing this in a day or a month or, yeah. The amount of time back in their bank. Yes.

Gordon Groschl: , And at the end of the day, it's also it. It creates revenue, right? If I can do something faster then I can basically focus on other more, I would say valuable. Not only like patient care, valuable activities, but I can also generate more revenue.

And radiology is a big revenue driver for Texas Children's. So we're very excited about it.

Drex DeFord: Mary, I'm gonna ask you the same question. What's one of the coolest things you've worked on lately that you'd like to talk about?

Mary Dickerson: So I'm gonna give a totally different answer than Gordon's approach.

[00:15:00] So I'm actually gonna focus on the people instead of the technology. So I've been at UT Health now for three years. And one of the things that we've done is we've tried to look very carefully at our team. And what skill sets and stuff we have and how to evolve the team in ways that we can more effectively meet the mission of the university.

And so one of the things that has come up with our discussions and working with our managers and such is that. Everyone talks about identity being the new perimeter, but a lot of people are not fully integrating that into how their security operations center is working. So what we did was we had a traditional security operations team that did incident response firewalls, all the things you would typically associate.

With security operations and we had a separate team that did identity and access management and all the things that you would typically associate with authentications and things like that. What we did was [00:16:00] we actually merged those two teams together. We split the SOC out as a separate group.

That only does. SOC activities, but everyone else does identity and security operational task. And so by merging those teams together and refocusing the different pieces, we really have gone to identity as our perimeter. That's the first thing that we look at when. We have a potential compromised account.

That's the first thing that we look at, in our research environments to make sure we do have, things secure and such is we look at that well by positioning our team that way. We've really approached how we're handling all of our security operations in a different perspective, and that different perspective is giving us a little bit of an advantage in dealing with.

The constant evolving threats, the fact that they're coming at us much faster, much more comprehensive. We now have this integrated team that can look at it in that way. So [00:17:00] it's still in progress. So stay tuned for what benefits we've actually seen from it. But in the meantime, it really has given our team a different perspective in addressing the problems everyone's facing.

Drex DeFord: Thanks for joining on UnHack. Remember, we're not alone in this. Every healthcare leader needs a community to lean on and learn from. Join our community at this week, health.com/subscribe and share this not only with your security crew, but with your entire leadership team and staff.

Together we are stronger.