How to Safeguard Your Healthcare Organization from Cyber Threats with Steve Cagle, CEO of Clearwater

[00:00:08] [SPEAKER_01]: Hey everybody, welcome back to the BEAT podcast recorded here in Los Angeles, California at

[00:00:15] [SPEAKER_01]: the VIVE event.

[00:00:17] [SPEAKER_01]: My name is Saul Marquez, your host for today, and I have the privilege of hosting Steve

[00:00:22] [SPEAKER_01]: Cagle.

[00:00:23] [SPEAKER_01]: He is the CEO and board member of Clearwater, a leading cybersecurity and compliance partner

[00:00:29] [SPEAKER_01]: to organizations across the healthcare ecosystem.

[00:00:32] [SPEAKER_01]: He assumed the CEO position at Clearwater May of 2018, bringing extensive experience leading

[00:00:39] [SPEAKER_01]: innovative and scaling healthcare and technology businesses, including having guided a number

[00:00:44] [SPEAKER_01]: of companies through critical transformation periods.

[00:00:47] [SPEAKER_01]: Excited to have you here Steve, thanks for joining us.

[00:00:50] [SPEAKER_01]: Excited to be here, thank you for having me.

[00:00:51] [SPEAKER_01]: Of course.

[00:00:52] [SPEAKER_01]: We're doing a lot here, we're going to be diving into several different questions,

[00:00:56] [SPEAKER_01]: but before we do, let us know a little bit about Clearwater, what you guys do,

[00:01:00] [SPEAKER_01]: and how you add value to the ecosystem.

[00:01:03] [SPEAKER_00]: Okay, Clearwater is a healthcare focused cybersecurity and compliance services organization, and

[00:01:09] [SPEAKER_00]: we work with clients across the whole healthcare ecosystem, whether it's hospitals or health

[00:01:14] [SPEAKER_00]: systems, physician practice management groups, and digital health companies to help them

[00:01:20] [SPEAKER_00]: to become more secure, more compliant, and more resilient so that they can achieve

[00:01:24] [SPEAKER_00]: their missions.

[00:01:25] [SPEAKER_00]: Love it.

[00:01:25] [SPEAKER_01]: Love how clear that mission is.

[00:01:28] [SPEAKER_01]: How do you see digital transformation reshaping care delivery in 2024?

[00:01:34] [SPEAKER_01]: And what are the main challenges and opportunities this presents Steve?

[00:01:38] [SPEAKER_00]: There's been an acceleration of digital transformation over the last several years,

[00:01:43] [SPEAKER_00]: and look we all know that in healthcare we have a lot of opportunities to solve

[00:01:48] [SPEAKER_00]: some real challenges.

[00:01:50] [SPEAKER_00]: There's a lot of inefficiency in healthcare.

[00:01:53] [SPEAKER_00]: There's a need to provide better equity and to really drive down costs which

[00:01:57] [SPEAKER_00]: have become much higher over the years, and technology is helping organizations to do that in many ways.

[00:02:03] [SPEAKER_00]: We're seeing better use of data analytics for example to help fuel risk-based ways

[00:02:09] [SPEAKER_00]: of delivering care with value-based care.

[00:02:11] [SPEAKER_00]: We are seeing operational efficiencies being achieved through artificial intelligence,

[00:02:16] [SPEAKER_00]: better patient experience, also through technology which is also helping to get care to patients

[00:02:22] [SPEAKER_00]: in remote locations.

[00:02:23] [SPEAKER_00]: And so all these things are really great ways of trying to address those challenges.

[00:02:28] [SPEAKER_00]: What's common with all these technologies though is that we're generating a lot more data,

[00:02:33] [SPEAKER_00]: very sensitive data that needs to be kept private and secure.

[00:02:36] [SPEAKER_00]: That information is being shared among more people with more locations and it's very

[00:02:43] [SPEAKER_00]: highly targeted information, very sensitive data that's worth a lot to criminals who

[00:02:50] [SPEAKER_00]: more than to get to that data and to use it for nefarious purposes or to sell it or

[00:02:55] [SPEAKER_00]: to hold organizations at ransom to get their data back.

[00:02:59] [SPEAKER_00]: And this is becoming an enormous problem in healthcare.

[00:03:03] [SPEAKER_00]: We saw last year an increase in cyber attacks, over 135 million patient records reported

[00:03:10] [SPEAKER_00]: to the Office for Civil Rights, an increase in the number of ransomware attacks across

[00:03:14] [SPEAKER_00]: the industry.

[00:03:15] [SPEAKER_00]: And this is a real challenge from a patient safety perspective.

[00:03:20] [SPEAKER_00]: It's also a challenge from a financial perspective because breaches are very expensive.

[00:03:26] [SPEAKER_00]: It's the highest cost in any industry to have a breach in healthcare at almost $11

[00:03:29] [SPEAKER_00]: million, according to the Ponemon Institute.

[00:03:32] [SPEAKER_00]: And ransomware attacks can cost anywhere from $15 to over $100 million as documented

[00:03:36] [SPEAKER_00]: through many of the ones that we saw over the last several years.

[00:03:40] [SPEAKER_00]: Great things happening with technology, changing things for the better but also along

[00:03:45] [SPEAKER_00]: with those changes comes responsibility to protect that information to keep it safe.

[00:03:50] [SPEAKER_01]: Thank you, Steve. Yeah, some really great call outs on the advances but also the risks

[00:03:54] [SPEAKER_01]: that come with that data and the bad actors that want to have that data.

[00:04:00] [SPEAKER_01]: How should organizations address the critical issues of data security and patient safety

[00:04:04] [SPEAKER_01]: then? And do you have an example of what your organization is doing?

[00:04:09] [SPEAKER_00]: Great question. I think the first thing we all need to understand is, and you just

[00:04:13] [SPEAKER_00]: said it, that cybersecurity is patient safety. We've traditionally thought of it.

[00:04:18] [SPEAKER_00]: Cybersecurity in healthcare is keeping data private, which is also very important

[00:04:23] [SPEAKER_00]: that we secure data because harm can come to patients when confidentiality is breached.

[00:04:29] [SPEAKER_00]: However, we also need to know that patient lives are at risk and ransomware attacks

[00:04:34] [SPEAKER_00]: over the last year increased by 95% globally. In the U.S., 46 hospital systems were

[00:04:41] [SPEAKER_00]: affected by ransomware attacks versus 25 the year before. And these attacks have really

[00:04:48] [SPEAKER_00]: very impactful results when you have ambulances that are diverted from emergency rooms.

[00:04:54] [SPEAKER_00]: Patients have a delay in getting care. In an emergency situation, that's really

[00:04:58] [SPEAKER_00]: important that they get their care as quickly as possible. Test results can be delayed.

[00:05:03] [SPEAKER_00]: Procedures can be canceled. People just can't get the care the way that they're

[00:05:07] [SPEAKER_00]: supposed to get it. This is a patient safety issue, first and foremost. Secondly,

[00:05:12] [SPEAKER_00]: organizations have to establish a culture of cybersecurity. And by that, we have to have

[00:05:19] [SPEAKER_00]: boards and executives taking responsibility, being accountable for the security of their

[00:05:25] [SPEAKER_00]: organizations and of the data of their patients. And establishing a strong culture

[00:05:30] [SPEAKER_00]: of cybersecurity means that from a governance perspective, the organization is

[00:05:36] [SPEAKER_00]: mandating that risks are assessed, that they're made aware of what the risks are, and that

[00:05:41] [SPEAKER_00]: they're providing resources to the organization to address those risks. And these types of

[00:05:47] [SPEAKER_00]: risks are not just with providers. It's very important to realize that health care is an

[00:05:52] [SPEAKER_00]: ecosystem. And we've just seen this now recently with the ransomware attack with

[00:05:56] [SPEAKER_00]: change healthcare. When you have a platform that the providers are using or pharmacies

[00:06:01] [SPEAKER_00]: are using and that's affected, it affects every organization in the industry. So it's

[00:06:06] [SPEAKER_00]: a shared responsibility. Certainly these types of security concerns can be addressed. And

[00:06:12] [SPEAKER_00]: yes, how are we working with organizations to do that? We work with organizations to

[00:06:16] [SPEAKER_00]: implement standards-based security programs and compliance programs. We can use as an

[00:06:21] [SPEAKER_00]: industry the NIST Cybersecurity Framework that's established to help critical infrastructure

[00:06:26] [SPEAKER_00]: and other industries to create programs that are appropriate for their organizations. In

[00:06:32] [SPEAKER_00]: healthcare, we have the 405D Health Industry Cybersecurity Practices that were developed

[00:06:37] [SPEAKER_00]: with public-private partnership in 2019, updated in 2023. And they're aligned to the

[00:06:44] [SPEAKER_00]: top five threats that exist in healthcare. So they're very specific for our industry

[00:06:49] [SPEAKER_00]: and they can apply to every part of healthcare, whether you're a provider,

[00:06:53] [SPEAKER_00]: a service provider, your technology provider. So we're helping organizations to adopt those

[00:06:59] [SPEAKER_00]: standards to implement them in very scalable ways and to help healthcare organizations be better

[00:07:05] [SPEAKER_00]: at managing risk and implementing resiliency into their programs.

[00:07:10] [SPEAKER_01]: Thanks, Steve. Yeah, it sounds like you guys are leading the charge with some clear,

[00:07:15] [SPEAKER_01]: documented, proven practices, public-private collaborations, all based in a good way forward.

[00:07:23] [SPEAKER_01]: So really excited to hear that you guys are doing some great work there. It seems like

[00:07:27] [SPEAKER_01]: there's new cybersecurity risks constantly emerging as you brought up. 46 this year

[00:07:32] [SPEAKER_01]: compared to 25 last year is staggering. How does a healthcare organization ensure

[00:07:38] [SPEAKER_01]: that it's not only secure today, but it remains secure on an ongoing basis?

[00:07:44] [SPEAKER_00]: That's a very important point and it really starts with what we call risk analysis. It's

[00:07:53] [SPEAKER_00]: identifying the vulnerabilities and the threats and making a determination of what the residual

[00:07:59] [SPEAKER_00]: risk is. So once we have an established program, we have to realize that the environment's changing

[00:08:06] [SPEAKER_00]: constantly. And healthcare organizations, not just healthcare organizations, but particularly

[00:08:11] [SPEAKER_00]: in healthcare, they have many different types of applications, hundreds of different systems.

[00:08:16] [SPEAKER_00]: And in the past, what typically would happen is an organization would assess risk at a

[00:08:21] [SPEAKER_00]: high level, generally speaking, across the organization. What controls do we have? What risks

[00:08:25] [SPEAKER_00]: do we have? But what we've seen with cyber attacks today and with ransomware attacks is that

[00:08:31] [SPEAKER_00]: the criminals are going deeper. They're finding where there's gaps, where certain controls are

[00:08:35] [SPEAKER_00]: not in place, where certain vulnerabilities exist that might not exist in other parts of

[00:08:40] [SPEAKER_00]: the organization. So the first thing that an organization has to do to understand risks is

[00:08:45] [SPEAKER_00]: to understand where its data is and to assess each of those systems, to understand

[00:08:51] [SPEAKER_00]: where those risks are. And then they need to decide at what level of risk or what level

[00:08:56] [SPEAKER_00]: of risk are they willing to accept? That goes back to that governance thing that I said earlier,

[00:09:02] [SPEAKER_00]: boards, executives need to decide where they want to draw the line. And then the organization

[00:09:06] [SPEAKER_00]: needs to respond to those risks that exceed their threshold. That risk response and risk

[00:09:12] [SPEAKER_00]: analysis process is not a one-time thing. It has to be done on an ongoing basis because

[00:09:17] [SPEAKER_00]: the environment's changing, we have M&A going on in healthcare, which brings in new systems.

[00:09:22] [SPEAKER_00]: And then even if your environment's not changing, even if your organization's not changing,

[00:09:27] [SPEAKER_00]: you're not putting in new systems, the world around you is and there are new threat

[00:09:30] [SPEAKER_00]: actors, there's new vulnerabilities every day. So that risk analysis process needs to be

[00:09:36] [SPEAKER_00]: ongoing in order to ensure that you stay secure. And we also need to ensure that

[00:09:41] [SPEAKER_00]: we're responding to those risks that we're putting in mitigating controls and then assess

[00:09:45] [SPEAKER_00]: monitoring them to ensure that they're actually effective, that they're doing the things that

[00:09:49] [SPEAKER_01]: we thought that they would do. Thank you. And yeah, it's just ongoing vigilance,

[00:09:54] [SPEAKER_01]: ongoing inspection, making sure that not only our own organizations are in order,

[00:09:59] [SPEAKER_01]: but also vendors that we work with and other organizations that might be interacting

[00:10:04] [SPEAKER_01]: with our organizations are also compliant. I think awesome points there. We've recently seen

[00:10:09] [SPEAKER_01]: Department of Health and Human Services become more active in addressing data

[00:10:13] [SPEAKER_01]: and patient safety cybersecurity concerns. What's your perspective on these recent

[00:10:20] [SPEAKER_01]: developments and what they mean for the industry, Steve? There's been a lot of activity

[00:10:24] [SPEAKER_00]: certainly over the last 12 months or so starting with the national cybersecurity strategy

[00:10:30] [SPEAKER_00]: that the Biden administration released in March of 2023. That was followed later by the

[00:10:38] [SPEAKER_00]: implementation plan. That implementation plan outlined very specific objectives and

[00:10:43] [SPEAKER_00]: initiatives and identified timelines and agencies responsible for implementing those.

[00:10:48] [SPEAKER_00]: In December, HHS released its concept paper for cybersecurity strategy that really followed

[00:10:53] [SPEAKER_00]: some of the direction in that implementation plan. And HHS laid out four pillars of that

[00:10:58] [SPEAKER_00]: plan, including things like establishing voluntary cybersecurity performance goals.

[00:11:04] [SPEAKER_00]: They indicated that those goals might be part of future regulation. They identified the need for

[00:11:10] [SPEAKER_00]: incentives for healthcare organizations, particularly with smaller healthcare providers

[00:11:15] [SPEAKER_00]: that might need help with some of the basics, let's call it. And then they said, look,

[00:11:20] [SPEAKER_00]: we think that further incentives will be needed probably in the form of financial repercussions

[00:11:26] [SPEAKER_00]: if standards are not met. And they did release cybersecurity performance goals very recently

[00:11:32] [SPEAKER_00]: and mapped those back to the same standards I mentioned before, this cybersecurity framework,

[00:11:38] [SPEAKER_00]: 405D, health industry cybersecurity practices. And then following that, they've recently

[00:11:42] [SPEAKER_00]: announced that they're going to dust off the audit program. So I think what all this means

[00:11:48] [SPEAKER_00]: is that we're going to continue to see activity at the federal level, at the government level.

[00:11:53] [SPEAKER_00]: We hope to see that there will be not just more regulations and enforcement of the

[00:11:58] [SPEAKER_00]: regulation. And we know that they are asking Congress for more resources for that enforcement,

[00:12:02] [SPEAKER_00]: but look, healthcare has struggled with cost increases, with still the aftermath of COVID,

[00:12:10] [SPEAKER_00]: labor shortages. And a lot of these organizations, a lot of organizations that could invest have

[00:12:16] [SPEAKER_00]: invested, but a lot of organizations that have not had the means or the resources,

[00:12:20] [SPEAKER_00]: they're not going to be able to do it just because we add more regulation. So they need

[00:12:24] [SPEAKER_00]: support, they need help. And we need to, again, look at the entire ecosystem as being part

[00:12:30] [SPEAKER_00]: of our critical infrastructure, something that we need to secure. And my hope is that in addition

[00:12:35] [SPEAKER_00]: to more of the enforcement and attention from the government agencies, that we'll also see some

[00:12:41] [SPEAKER_00]: incentives and some resources that are being provided to those who need it.

[00:12:44] [SPEAKER_01]: Yeah, for sure. Definitely looking forward to that as well. So really here, wanting to hone

[00:12:50] [SPEAKER_01]: in more on your company, Steve Clearwater, how are you guys working to ensure that smaller

[00:12:56] [SPEAKER_01]: healthcare providers have access to the expertise and resources needed to protect themselves and to

[00:13:02] [SPEAKER_01]: protect themselves against cyber attacks that continue to plague the industry?

[00:13:06] [SPEAKER_00]: Clearwater doesn't just work with large healthcare organizations. We're known a lot

[00:13:10] [SPEAKER_00]: for risk analysis and risk assessments and advisory work, but we actually have a practice

[00:13:14] [SPEAKER_00]: that focuses on smaller organizations as well, including small digital health companies and

[00:13:20] [SPEAKER_00]: rural practices as well, small healthcare providers. And what we recognized several years ago

[00:13:27] [SPEAKER_00]: was as security was becoming much more complex and the needs of organizations were becoming

[00:13:32] [SPEAKER_00]: much more comprehensive, that it's becoming more and more difficult for an organization that's

[00:13:37] [SPEAKER_00]: smaller and not at scale, doesn't have the resources, doesn't have the expertise.

[00:13:42] [SPEAKER_00]: Some of these organizations, they may have one or two IT people that are responsible for all

[00:13:47] [SPEAKER_00]: information technology, let alone cybersecurity. We recognize that trying to provide them with

[00:13:53] [SPEAKER_00]: point solutions was not really going to cut it anymore. And our goal was to develop a program

[00:13:59] [SPEAKER_00]: where a small organization could get all of the services, expertise and scale of a security

[00:14:07] [SPEAKER_00]: program without having to build one on their own. And we developed a program called the Clear

[00:14:11] [SPEAKER_00]: Advantage Program. It's an advantage for these types of organizations because in that program

[00:14:16] [SPEAKER_00]: they have, in addition to a program leader, they have all the domain expertise in establishing

[00:14:23] [SPEAKER_00]: policies and procedures and doing risk assessments and doing technical testing on an ongoing basis,

[00:14:30] [SPEAKER_00]: monitoring detection and response, incident response. Again, all the compliance aspects,

[00:14:36] [SPEAKER_00]: we provide all those services in a coordinated program. We align the program to the goals and

[00:14:45] [SPEAKER_00]: run. And it's provided in a way that creates a lot of efficiency, both for us and for our clients.

[00:14:52] [SPEAKER_00]: And that saves them money. And we provide that at a fixed fee at its monthly cost. So

[00:14:55] [SPEAKER_00]: it really helps some of these smaller organizations that haven't had the means,

[00:14:59] [SPEAKER_00]: A, to develop it on their own or B, to go out and buy it. Now they can really turn

[00:15:03] [SPEAKER_00]: to a more of a managed services program and get the different things that they need. And then

[00:15:08] [SPEAKER_00]: again, implement it in a way that is aligned to their resources and to their appetite.

[00:15:13] [SPEAKER_01]: Steve, thanks. That's great news for the industry, right? To have a program that fits the smaller,

[00:15:19] [SPEAKER_01]: mid to large companies and organizations. Because at the end of the day, we're an ecosystem.

[00:15:25] [SPEAKER_01]: And the safer the entire ecosystem is, the safer we all are. And I think that the

[00:15:30] [SPEAKER_01]: opportunity is big. I can't thank you enough, Steve, for coming on the podcast today. If you

[00:15:35] [SPEAKER_01]: left our listeners with one thought, one final thought, one call to action, what would it be?

[00:15:39] [SPEAKER_00]: One final thought would be not to wait. A lot of organizations think this is something they can get

[00:15:44] [SPEAKER_00]: to later and then it takes an event for them to really start putting things into action. This

[00:15:49] [SPEAKER_00]: is important, it's urgent, and it's something we all need to prioritize and start or continue

[00:15:56] [SPEAKER_00]: right away. Amazing. And where can people find you, Steve? Here at Fybe, they can find

[00:16:00] [SPEAKER_00]: us in the Cybersecurity Pavilion 1549. And we're always happy to direct folks to our

[00:16:09] [SPEAKER_01]: outstanding. Steve, thank you so much for spending time with us. This has been really

[00:16:13] [SPEAKER_01]: enjoyable. I've enjoyed as well. Thank you.