Start with Defense: Building a Cyber-Ready Team with Microsoft

00:00:00:22 - 00:00:24:23
Tom Haederle
There is no shortage of cyber criminals hard at work today attacking hospitals and health systems with ransomware, malware and other weapons to extort payment by shutting down vital systems and putting patient care and safety at risk. Unfortunately, there is a shortage of cyber defense warriors in health care with the skills and training to fend off such attacks. As the number of cyber incidents climbs each year,

00:00:24:24 - 00:00:39:20
Tom Haederle
it's clear we urgently need to build a cyber-ready health care workforce.

00:00:39:22 - 00:01:13:13
Tom Haederle
Welcome to Advancing Health, a podcast from the American Hospital Association. I'm Tom Haederle with AHA communications. While we've seen some growth of interest in cybersecurity as a discipline, demand still outpaces supply of people who are equipped to defend hospital and health care internal systems against cyber attacks. The shortage is especially acute for rural care providers. Today's podcast invites three experts to share their insights on "reskilling" and other methods that can help develop and sustain a health care workforce that is ready for today's challenges.

00:01:13:15 - 00:01:36:28
Bill Klaproth
I'm Bill Klaproth. With me is Laura Kreofsky, Microsoft cybersecurity program for rural hospital strategy lead. We also have Josh Heisman, national managing director, security technical sales (Microsoft). And of course, we have John Riggi, national advisor for cybersecurity and risk for the American Hospital Association. Laura, Josh and John are joining us today to discuss building a cyber-ready healthcare workforce.

00:01:37:00 - 00:01:39:16
Bill Klaproth
Laura, Josh and John, thanks for being here.

00:01:39:22 - 00:01:42:25
John Riggi
Thanks, Bill. Great to see you again and great to be here.

00:01:42:27 - 00:01:43:27
Bill Klaproth
Thank you John.

00:01:44:00 - 00:01:45:12
Laura Kreofsky
Yeah. This is a pleasure. Thanks.

00:01:45:16 - 00:01:46:12
Bill Klaproth
Thanks, Laura. Yeah.

00:01:46:15 - 00:01:47:25
Josh Heizman
I appreciate you having us, definitely.

00:01:47:26 - 00:02:04:11
Bill Klaproth
Thank you, Josh. So this is a really an important topic. And of course, we're hearing more and more about cyber risk all the time. And, John, I've read many articles highlighting the cybersecurity talent gap, especially in health care. So how bad is it and how did we get here?

00:02:04:14 - 00:02:38:24
John Riggi
Well, thanks for that, Bill. It is very significant, that gap. And there's a number of reasons for that. One, cybersecurity had not really been emphasized as part of the STEM curriculum over the years. And quite frankly, as society and as industries have made greater use of network and internet connective technology, quite frankly, has provided more opportunities for the bad guys - foreign based hackers - to try to penetrate our organizations and steal sensitive data and, of course, conduct these debilitating ransomware attacks.

00:02:38:27 - 00:02:49:01
John Riggi
So part of this huge demand, this gap is based on all these increased attacks that we're facing right now. So we're trying to catch up and the bad guys are outpacing us at the moment, unfortunately.

00:02:49:01 - 00:02:51:18
Bill Klaproth
Unfortunately is right. And Josh?

00:02:51:20 - 00:03:03:16
Josh Heisman
Yeah. And I think it's also important to note, you know, even the largest organizations out there, the most mature, struggle to recruit and retain cyber talent today. So we're seeing it at all sides of organizations, but particularly the smaller ones.

00:03:03:18 - 00:03:10:09
Bill Klaproth
So it sounds like we need to catch up here. We need to build more awareness for cyber security professionals. Would that be fair to say, John?

00:03:10:11 - 00:03:31:05
John Riggi
Absolutely. And I think as these attacks increase, the only silver lining is that it is drawing more attention to cyber security and not only in terms of the threat, but as a discipline, what we can all do. And we're receiving a lot of interest, even from clinicians now, who are interested in understanding how they can contribute to cyber security.

00:03:31:07 - 00:03:48:27
Bill Klaproth
Absolutely. And, Laura, well, cyber security risk is pervasive in health care, studies have shown rural hospitals are often further at risk. So how can I focus on cyber security skilling and talent development help lower that heightened risk profile unique to rural providers?

00:03:49:03 - 00:04:07:25
Laura Kreofsky
Yeah, Bill, you are spot on. They are, I think, in many ways at higher risk. Right? Oftentimes it's just hard to get that level of talent that we need in those communities and keep it. I think that's a big part of it. Oftentimes those rural hospitals are dealing with older legacy systems, right, that they struggle more to keep up with.

00:04:08:02 - 00:04:23:06
Laura Kreofsky
And quite often the IT staff in those rural hospitals is lean and mean. And those individuals are wearing a lot of hats. And it's really hard when you're a jack of all trades to really develop and hone those cybersecurity skills.

00:04:23:06 - 00:04:27:25
Bill Klaproth
And I would think with the budget pressures that are on rural hospitals, that's got to play into it as well.

00:04:27:27 - 00:04:36:19
Laura Kreofsky
It does. Absolutely. Although I played like everywhere in health care, there is a growing understanding and appreciation of the need to invest in this area.

00:04:36:21 - 00:04:37:13
Bill Klaproth
Yeah. John, your thoughts.

00:04:37:13 - 00:05:10:07
John Riggi
Yeah. Bill, as Laura said there's definitely a resource gap out in those rural hospitals especially. And it's not only just human and the technical resource, as Laura mentioned, financial. Some of these hospitals strive just to break even. And if they're making a margin, it's razor thin, maybe 1% margin just to keep the operations going. And as I always point out to folks who say, well, that's question why don't hospitals invest more in cyber security, divert some of all the funding that comes from the government Medicaid.

00:05:10:09 - 00:05:29:14
John Riggi
And I point out hospitals are not cybersecurity companies. Job one is to take care of patients and save lives. We know that if we invested every single dollar that we make providing care for patients in cybersecurity, we still not would be 100% safe from cyber attacks.

00:05:29:16 - 00:05:38:06
Bill Klaproth
So let me ask all three of you this. Josh, let me start with you. What are some initiatives then that you've heard of that are helping close this talent gap?

00:05:38:08 - 00:06:01:18
Josh Heizman
Yeah. And then I think it's important to look outside of just the health care vertical, right? I mean, even in public education, for example, you're seeing the same types of shortages in school districts, for example, in rural communities. But I think it's important to work with public education, community colleges, right, for skilling the kind of next generation, but also look at initiatives to retool and reskill existing staff, right, to support those career pivots.

00:06:01:21 - 00:06:20:23
Josh Heizman
Even looking at your clinicians in some cases who are interested in pivoting into the cybersecurity roles, they bring an invaluable perspective to those roles, too. So I think that's important as well. But, you know, there's a lot of high tech programs out there. I mentioned in public education that historically focus on engineering roles. I think computer science that are starting to retool into cybersecurity.

00:06:20:23 - 00:06:29:09
Josh Heizman
So, you know, these organizations can partner with those educational institutions and help guide that curriculum to make it successful. And, again, kind of build that next generation.

00:06:29:16 - 00:06:30:25
Bill Klaproth
Absolutely, Laura?

00:06:30:27 - 00:06:53:06
Laura Kreofsky
Yeah, I think there's a number of ways we can do better and that we need to do better. At Microsoft, there's a program called Textbook, and it really works across rural communities to nurture and find funding for training programs for new students or for reskilling. And it's brought like 3,500 jobs to these rural communities in about 7 or 8.

00:06:53:09 - 00:07:17:17
Laura Kreofsky
And we need to do more of that. And we John and I talked this morning about private public collaboration in some of these areas. We need to continue to do that. One of the things I found really interesting in my role is I've talked to a lot of firms that in cybersecurity. There are a lot of very seasoned professionals out there that really want to do mentoring and help grow the next generation and to build those programs up.

00:07:17:20 - 00:07:44:21
Laura Kreofsky
I think that's a real opportunity. It's really unique. And I think the last part is like my perception, having a lot of nieces and nephews who are college age is that they're not there's not an awareness that this is a whole industry, right? And they're put off by, oh my God, you've got to be so technical. I mean, it does require some obviously gaining technical skills, but a spirit of inquiry and good problem solving is really, I think, the heart of a lot of what we need these cyber analysts and these cyber professionals for.

00:07:44:25 - 00:08:07:15
Josh Heizman
I was actually sharing with Laura earlier, my own wife used to be a med tech and worked in labs and hospitals, and now she's in the governance, risk and compliance space. And she's not super technical, right? But she is a very strong cybersecurity practitioner, despite not having those technical skills. So it's important for folks to know you don't have to have been a network engineer for 20 years to go into cybersecurity.

00:08:07:19 - 00:08:28:21
John Riggi
In fact, there's many layers of cybersecurity. Myself, I'm the national advisor for Cybersecurity and Risk. I don't have a deep technical background, but what my background is having come from the FBI and run some national cyber programs - I look at the risk from a very strategic perspective. I understand who the bad guys are, and I know how to disrupt them, and I know what'll work against them.

00:08:28:23 - 00:09:00:23
John Riggi
And so really thinking about multi-layered recruitment approach for cyber security professionals and also attaching a mission to it. Again, from my government service days and helping folks know that, hey, it's not just sitting in a room coding all day. You're doing something that's very important and will help protect hospitals. Now, in fact, I'll just tell a quick little story here: I was at doing a tabletop exercise for a hospital association, as I do quite often, and I come to a key point in the exercise and I point to this individual, this gentleman and

00:09:00:24 - 00:09:17:20
John Riggi
I say, so what do you think about this big decision that had to be made as well? I don't know, I'm just the IT guy. And I said, you're not just the IT guy. You are a network defender. You help defend patients and communities by what you do. He looked up. He said, you know what?

00:09:17:22 - 00:09:25:18
John Riggi
And I would do this. We're going to pull the plug on the internet, and we're going to go to our emergency action plan, helping folks understand how really important thing.

00:09:25:23 - 00:09:27:14
Bill Klaproth
Is reframing the issue. Exactly.

00:09:27:17 - 00:09:46:19
Josh Heisman
Yeah, I'd actually like to add on to that. You know, it's interesting. I manage a lot of technical specialists at Microsoft within the security space, and we are focused on the health care and life sciences vertical. And they feel a calling and a mission being in that role, specifically working with these customers, right? It's very meaningful to them. And that's why they feel fulfillment is because of that mission.

00:09:46:20 - 00:09:48:13
Josh Heizman
So, John, I think that's an excellent point.

00:09:48:16 - 00:10:12:08
Bill Klaproth
I like how you said there's a multi-layered recruitment approach going on, and it sounds like that's what we need to build awareness to get new people into this field. Okay, so let's switch to AI. We often, you know, AI is everywhere. You hear it all the time. And knowing that cyber and I are often symbiotic, both positively and negatively, should training programs provide blended curriculums then in these areas?

00:10:12:08 - 00:10:13:12
Bill Klaproth
Josh, let's start with you.

00:10:13:13 - 00:10:37:00
Josh Heizman
Absolutely. Here's the bottom line. The attackers are using AI, right? They're using it in their offensive measures. So we have to as defenders leverage AI as well. And so, absolutely it's integral to that skilling. You know I mentioned the technical folks I work with the manage even are retooling and skilling their credentialing and making that pivot. So it's absolutely it's here again -they have those tool sets.

00:10:37:00 - 00:10:45:10
Josh Heizman
We have to use those tool sets. Imagine a professional football game right where a team doesn't step up to that next level of skill sets. It's available to their competitors, right?

00:10:45:13 - 00:10:48:05
Laura Kreofsky
Or they only played offense. No defense. Exactly.

00:10:48:06 - 00:10:53:13
Josh Heizman
Yeah, exactly. So yeah, absolutely. AI is part and parcel of any curriculum.

00:10:53:15 - 00:10:54:16
Bill Klaproth
Yeah. Laura.

00:10:54:18 - 00:11:16:26
Laura Kreofsky
Yeah I would agree. And really when you think about it, you think about AI and what we need at the front line are prompt engineers. Right. And what is that besides inquiry and problem solving, which I think are core skills and, you know, a really attuned to, to individuals with deep technical expertise or with broader interests. So I do think they're inextricably linked.

00:11:17:03 - 00:11:21:08
Laura Kreofsky
And as educators, we should look to do that holistically.

00:11:21:10 - 00:11:34:21
Josh Heizman
It's funny you say that, Laura, because searching is a skill, right? We're talking about Google and Bing as a verb, right? Be able to search and write a proper search term. And same thing with writing a prompt, right? For AI. You have to ask good questions to get good results.

00:11:34:26 - 00:11:41:14
Bill Klaproth
Do you think folding AI into this will make it more appealing to future cybersecurity risk professionals?

00:11:41:19 - 00:11:43:26
Josh Heizman
Absolutely. Absolutely. I mean, you know, look.

00:11:43:26 - 00:11:49:00
Bill Klaproth
I it's a little more sexy, more fun. Hey, okay, I can do this, right?

00:11:49:02 - 00:11:49:24
Josh Heizman
Yeah, absolutely.

00:11:49:26 - 00:11:57:29
Bill Klaproth
For sure. So, Laura, is there something else we should be doing? We talked about some initiatives that are taking place, but what should we be doing more of?

00:11:58:01 - 00:12:17:10
Laura Kreofsky
Well, I do think it comes down to more partnerships and what we're doing, Microsoft is doing with the AHA and the White House to help secure rural hospitals, I think is a real a really good start, and we need more of that. We need more mentorship for seasoned professionals. We need more innovative programs. And what we really need -

00:12:17:12 - 00:12:34:29
Laura Kreofsky
Bill and Josh and I've talked about this - is we've got this chicken and egg thing going where you can't get a job till you've got experience and you can't get experience until you have a job. So we need to make some very practical and high value learning opportunities that are translatable and elevate professionals in this field.

00:12:35:01 - 00:12:58:07
John Riggi
No, I totally agree. So beyond the education piece, I think what's come out of the partnership that we have with Microsoft is really a shining example of how government, private sector interests, advocacy groups like ours can all come together to work on a problem, help solve a problem for the mutual benefit, not only for mutual benefit, but for the greater good, literally for the greater good.

00:12:58:09 - 00:13:25:00
John Riggi
When I was having some discussions debate with senior policymakers at the white House and they said, you know, you hospitals need to implement these cybersecurity standards. And we were talking about the same issue, same resources, funding. And literally I happen to say to this individual, why don't we get Microsoft and other organizations to donate or provide nonprofit pricing the way they do for other industries to help

00:13:25:00 - 00:13:42:23
John Riggi
fill that resource gap that you just told me the government can't fill. So instead of just looking at this from a policy issue, whole of government is we are used to say, when I was in government, it's a whole of nation approach. Everyone has to come together, work on a common problem. We all depend on hospitals no matter what.

00:13:42:24 - 00:13:49:18
John Riggi
No matter where we live. And just in like my counterterrorism days, we got to understand the threat. We've got to come together as a nation on this.

00:13:49:21 - 00:14:06:28
Josh Heizman
And I would be remiss if I didn't bring up the technological solution to all of this, too, right? It doesn't solve everything. It's certainly a people problem. But we just talked about AI, right? Microsoft, of course. Copilot for security. We have a almost imagine a really smart friend there on the side, kind of guiding you through what to look for and how to solve problems.

00:14:06:28 - 00:14:25:13
Josh Heizman
And we're seeing this from across the industry. But it's important. There's so much noise out there, right? There's so much signal, as we call it, coming in from different sources of security, that it becomes a scale issue for humans to keep up. And so not just AI, but looking at a platform approach to security and how do we integrate all that.

00:14:25:13 - 00:14:42:27
Josh Heizman
And I remember doing swivel chair between 50 different solutions, right? And trying to piecemeal, you know, I think about more and I think I mentioned in my role on the HOA board, right? My local HOA, we have cameras and card access and we have an incident. They're not integrated, right. So it's a manual process to go kind of link the two together.

00:14:42:27 - 00:14:52:16
Josh Heizman
And we're just now moving to a vendor that automatically does that for us, right? So it's so important to have those pieces tied together and have that systemic approach.

00:14:52:18 - 00:15:05:25
Bill Klaproth
Absolutely. Well this has been a great discussion. I want to thank all three of you. Before we wrap up, I'd like to get some final thoughts from each of you. John, let's start with you. Anything else you want to add as we finish up talking about building a cyber ready health care workforce?

00:15:05:26 - 00:15:31:15
John Riggi
Well, again, I think we have to understand how important cyber security roles are. Recent events, CrowdStrike, the issue that happened there, not related, not malicious, not a malicious attack, but it shows how dependent we are on the availability of technology. We have to understand that these attacks are increasing. We've had change health care that hit us earlier this year on how dependent we are on the availability of technology.

00:15:31:17 - 00:15:46:05
John Riggi
So this is...these threats are not going away. The use of AI will accelerate these threats, quite frankly, but it'll also could accelerate our capability to defend against them. So there's a mission here. It's not just a field of work.

00:15:46:10 - 00:15:50:29
Bill Klaproth
Yeah. Dependent and vulnerable at the same time. Vulnerable exactly at the same time. Laura.

00:15:50:29 - 00:16:11:05
Laura Kreofsky
Final thoughts? Yeah, I think about this. You know, I spend a lot of time working in rural hospitals and in the safety net. And I think they, as we've talked about our particular really vulnerable and, you know, we're going to do need to do more from a resourcing, from a funding standpoint to support them. Because as we talk about it's not an if question.

00:16:11:05 - 00:16:21:18
Laura Kreofsky
It's a when question for every health care organization. And so we need to look at those organizations as a vulnerable link in a very large ecosystem.

00:16:21:20 - 00:16:26:27
Bill Klaproth
It's not an if, it's a when. That's a great way to put it. And Josh, final thoughts from you.

00:16:27:00 - 00:16:42:29
Josh Heizman
I just want to re-emphasize that point about reskilling - you know, existing folks, right? Just because I have seen so many examples of success of that, I did it myself again working in public education. I was in it and then pivoted and brought that perspective. And having been a classroom teacher, right? And then working at a school district in IT.

00:16:43:06 - 00:17:01:16
Josh Heizman
So again, my sister is a nurse practitioner, and we've had conversations. She's asked me questions before about, hey, that'd be interesting to pivot over to cybersecurity, right? So again, it's not just looking at those old school IT folks that somehow that that's that is your only talent pool for these roles. I would really open up the field for that.

00:17:01:18 - 00:17:20:12
Bill Klaproth
Absolutely. Look elsewhere and you never know who's going to raise their hand, as you said earlier, we need people to start raising their hand. Laura, Josh and John, thank you so much for joining us today at our podcast table at the 2024 AHA Leadership Summit. Once again, we have Laura Karaoke, Josh Heisman and John Riggi. Thank you again to learn more.

00:17:20:12 - 00:17:34:10
John Riggi
I'll be remiss if I don't take a moment to just thank you, Josh, Laura and Microsoft for answering the call for assistance to help defend the nation's rural hospitals. We appreciate it as an association. We appreciate it as a nation.

00:17:34:11 - 00:17:35:07
Josh Heizman
Thank you. Thank you, John.

00:17:35:07 - 00:17:48:26
Bill Klaproth
Agreed and very well said. And for more information on this, please email MRHTP@microsoft.com. That's MRHTP@microsoft.com. Thanks for listening.

00:17:48:28 - 00:17:57:09
Tom Haederle
Thanks for listening to Advancing Health. Please subscribe and rate us five stars on Apple Podcasts, Spotify or wherever you get your podcasts.