JoAnn Ioannou is the Senior Advisor to the President for Strategic Initiatives for Johns Hopkins Health System and was formerly the Chief Nursing Officer for Greater Baltimore Medical Center where she was named by Becker's Healthcare as one of the 50 CNOs to Know.

As a Hospital Healer, JoAnn has faced many challenges, including a vicious malware attack that took all systems offline in the middle of the pandemic.

Learn how JoAnn led her hospital during the malware attack, the steps she took to ensure patient safety and care were put first, and the practical tips she provides to help other hospitals and health systems prepare for similar cyber attacks. JoAnn also discusses her guiding principle of servant leadership and her thoughts on the different roles that community hospitals and large academic health systems play in the healthcare ecosystem.

Before the interview, host Rich Palarea gives color to the real threat of cyber attacks on our hospitals. After the interview, Rich welcomes Kermit Vice President of Technology Mike Jackman to give his perspective on the state of cyber security for healthcare providers and suppliers and outlines the 3P's all organizations should follow.

LISTEN AND WATCH: YouTube | Google Podcasts | Spotify | Apple Podcasts | Amazon Podcasts | Stitcher

Intro: 00:00

Rich Palarea: I'm joined today by JoAnn Ioannou. She is a senior advisor to the president of Johns Hopkins Health System for strategic initiatives. It's a relatively new post that she took in the third quarter of 2022. This is not JoAnn's first tenure with Johns Hopkins. She was the director of neuroscience and psychiatry nursing for nearly three years, from 2013 to 2015.

Most recently, JoAnn was the Executive Vice President of Hospital Operations, and the Chief Nursing Officer for a wonderful community hospital where two of my three children were born, Greater Baltimore Medical Center. She's held that post for two years and she joined GBMC as the Senior Vice President of Patient Care Services and its CNO in September of 2015. She holds a doctor of nursing practice degree from the Johns Hopkins University.

She also attained an MBA. At MSN from Hopkins. She earned her RN degree from Stevenson University and a BA in psychology from Towson University. My mother and father would've been so proud of me for just achieving one of those degrees. So JoAnn, it's great to see you. Welcome to Healing the Hospital podcast.

JoAnn Ioannou: It's good to see you, Rich. Thank you for having me.

Rich: It's my pleasure. I'm so glad you said yes to this because when I thought about the fact that October is National Cybersecurity Awareness Month, you have a story to tell about that. We're going to have the listeners on a journey, I think, a little bit as they hear kind of what you've had to navigate.

But first at the top, I always ask this question to all of our guests, a hospital is somebody who comes on our show as a guest and we dub you a Hospital Healer, because you have that essence of when you see a problem in healthcare, it's not just enough to kind of do your job. You'll get in and make it better.

You've done that as a clinician for many years now doing it as a senior executive, and so you've kind of seen both sides of administration and the clinical practice too. But when you think of a hospital healer, is there somebody that you can think of that you can give us a name, somebody you've worked with who really exemplifies that?

Somebody who maybe you met in your early days of nursing, somebody who was a mentor to you? Who in your mind would you say is a Hospital Healer?

JoAnn: Well, you know, I've been fortunate. I've had many mentors throughout my career, and I can tell you I learned early on from my CNO when I was a new grad at Hopkins, her name is Dr. Karen Haller.

She was a servant leader and she taught us to have that mentality to always, number one, make it about the patient, your colleagues families, and to be able to serve because that's what gives us the opportunity that we feel we're getting people, not only the patient and their loved ones, to the best outcome that anyone would want.

Because when you're at a vulnerable time in your life of being ill, it is incredibly humbling and all you want is someone to really take the time to take care of you, to understand what you're going through because we're all going to be in that type of situation at one point in our lives, and it's a privilege and an honor to serve in that capacity.

So, I've always learned early on that. Not only did I have a calling to go into healthcare because I always wanted to make a difference and help people from a medical nursing standpoint, but to also serve. And I've learned that it's a privilege and an honor to do that. So I've also had it from physician colleagues that I worked with where we had that common belief.

And that has always been the way I've always practiced, that it is my job to be able to serve in whatever capacity that I am either delivering hands on patient care or administratively within a health system or in a hospital. Not only the patients, but to serve my colleagues as well.

Rich: Yeah. Or even the wonderful wife and mother that I know that you are, you're doing it at home even after hours. Well, you talked about It's an honor to be in that position. I totally agree. I remember when I landed myself at a community hospital a couple of years ago, and I felt completely helpless. I was at the mercy of the people who were caring for me and just to have a hand of compassion and people that cared, who were trained to do something really well, gave me a lot of peace of mind. So, I totally get that.

But speaking of the honor, there's another honor I want to remind you about. You were named by Becker's Hospital Review as one of the 50 hospital and health system's "CNOs to know". Tell me a bit about what it meant for you to have that national recognition?

JoAnn: Well, that is very nice when you're honored by organizations, but that's not what fuels me, it's all about if I know I made a difference in someone's life, whether it's a colleague or a family or a patient, that means more to me than anything. But it's nice when people recognize certain achievements. But I tend not to gravitate towards that.

And, you know, it's something that I don't really pay a lot of attention to. Not that I think Becker’s is great, I'm not saying that, but I prefer to be honored in a different way, quietly, is what I'm going to say.

Rich: I fully understand that. I mean, they took notice of you in your role as a Chief Nursing Officer, but I think our community did as well here in Baltimore because you were at the helm of GBMC when Covid hit. You were in charge of nursing and you were also, you had unwittingly, I think found yourself in charge of operations as well. Because you had a departure in your senior executive team, so you were handling a lot of stuff.

I've heard from a lot of others who've come either on the show or in passing about what it was like to be in the hospital during that time. There have been clinicians and we've seen a lot of their stories on tv. And there have been executives too, and a lot of the executives rolled their sleeves up and pitched in.

Tell me a little bit about your executive leadership position in the hospital at that time, navigating the pandemic, setting things up what was it like for you?

JoAnn: Well, you know, I think because no one really knew what Covid was going to mean when it happened. And one of the first things we did in other hospitals across the country, the world is create command centers. Because you always have a command center when a crisis occurs. And when you have a command center it almost brings the chaos under control where you're able to control what is not only going to happen within the hospital in terms of operations. It helps you navigate how you're going to continue to deliver care to keep the patients protected, but also your staff.

You know, back in the day when I first started as a nurse, I started in infectious diseases on the AIDS service. And this is in the nineties and this is when the height of the epidemic and there were a lot of unanswered questions of how people were getting AIDS, how it was being transmitted.

And a lot of people were scared. So I remember taking care of patients who had tuberculosis and how you had to garb and wear the equipment and the HEPA filter and, 12 hours a day and you're in this suit all the time and it's exhausting. But it was time limited. So I knew how many patients I would have based on their isolation requirements, and you could manage that.

So, when you had Covid. Everybody had to wear protective equipment and gowns, and it was 10 times worse because whether you had Covid or you didn't to protect yourself and other patients to wear that PE all the time, I don't think anybody really expected the burnout that the staff would have.

And so we were already in midst of a nursing shortage. And then when you add Covid, it affected all the disciplines who had to touch a patient. So I think the lessons learned of how tiring and exhausted, or the healthcare workers were. And we didn't know how long it was going to last.

It was a daunting test in the beginning, but clinicians have reserve and they kind of figure it out and you keep going. But I think what really caused such a labor shortage even within healthcare for every discipline Covid really exhausted people, not only physically, but emotionally.

Rich: Yeah, for sure. Wow. I mean, you just took me through, I have this like, emotional picture in my head of what that must have been like to be there. We at Kermit in our business, we are accustomed to going into the hospital and meeting with the staff to show them the value that we can provide and that basically shut down.

We're not able to be with them because you were doing very important work. And so I can't imagine what it was like to be there. We only saw pictures on tv, but you were there every single day. . And then the pandemic rages on for nearly two years, and you're still in the thick of it.

You encounter an unthinkable reality on December 6th, 2020, so just a mirror. It was maybe like March when everything kind of broke out with Covid, and then in December, you remember when president FDR said that December 7th would be a day that lives in infamy, and for you it was December 6th?

JoAnn: Yes. I'll never forget December 6th.

Rich: Yeah. So take me back to that day, if you will. Well, like you said, the day you'll never forget, you shared some crazy things with me before, but I don’t know if I've heard the whole story, I'd love for the listeners to hear the whole thing.

JoAnn: December 6th 2020 was a Sunday, so you're correct. Covid started March of 2020 December 6th on Sunday. I'm excited. I'm going to wake up. I'm going to go to church. It's going to be relaxing. Well, my phone goes off, starts blowing up at 6:00 AM and we're experiencing a malware attack. So I get up to get dressed, run over to the hospital, and the entire system was shut down in minutes.

So this is where I say Covid is a good thing because we already had the command center in place. So you get the necessary people involved. We start processing, how are we going to deliver care? And when I talk about it now because when you prepare in a hospital, you have to prepare for fire drills for a whole bunch of things you do to ensure if a system were to go down, how are you going to function?

And usually what hospitals do is that they get these big binders and they put everything in paper and in order and say, Okay, if this happens, go to tab A and so forth. Well, when you go through a malware attack and nothing is working the binder is not helpful. It's helpful for certain things, but for example, how is a patient going order a meal and it's going to get to the kitchen and the kitchen's going to be able to fix it, and it's going to be put in the special cart for transport to come and get it to the patient.

So there's multiple processes that have to go in place. So that's what we did and of course what's number one is patient safety. So we developed a strategy very early on of nothing goes to pharmacy unless it's checked by safety officers, vice versa to ensure that we're doing right med, right patient as an example.

And that worked beautifully. And as a clinician when this occurred, what is wonderful to see is everybody steps up. People come out of the woodwork and they say, What do you need me to do? So thank God we had the command center in place. Thank God we put processes in place because you need to understand so when I started practicing in the nineties where there wasn't an electronic medical record.

Everything was on paper. We had our blue charts. Everybody who's a clinician knows what the blue chart looks like on the nurse's unit. But now you have a generation who's never grown up with paper. Or understand what a written order looks like or how to sign off on things. So there was a team of clinicians who took time to educate, to build the forms so that was standardized.

So everybody was knowing how to write, how to execute, and how to deliver care that was built in an electronic system. Now it's all on paper. So you sit there and you say, Wow, this isn't taught in medical school. This isn't taught because we're so dependent on electronics now, which is not a bad thing.

It's just a reality. So what I've learned from that experience is it's not about the binder. The binder is one aspect of it. The other huge component of it is once you're up and you survive something like that, what's the most important? Tabletop exercises, mock exercises to say, Okay, we're shutting this down. Execute.

How would you communicate with pharmacy? How would you communicate with the kitchen? How would you communicate with environmental care? How would you communicate with a physician, so forth? So that day was a unique day. So that happened. I was there for many hours which you were saying.

Because I know we talked about this early on when I told you what happened to me that day, then I'm driving home and somebody hits my car. It's a hit and run and they take off. So, I had to deal with that. And then my husband, who was just recovering from surgery was having a medical situation.

And as I'm trying to deal with a hit and run says to me, Can I ask you a question medically? And I turn around, I'm looking at him like, Oh, this isn't good. So I had to take him back to the hospital. Thank God he was okay. But I thought, you know, when they say things come in threes, that was a trifecta that day.

But I want to say two things. One about Covid, The year 2020 was by the World Health Organization, was deemed the year of the nurse. Okay. It was also Florence Nightingale's 200th birthday. And let me tell you something, the year of the nurse, I do believe, and I mean this because I think you have to look at the positive that comes out of very challenging times.

Covid really elevated the nursing profession in my opinion, because people really understood what a nurse can do because a nurse does not come in one shape, size and what they do in terms of delivering care. There's nurses who do informatics, education, care management, population health, a utilization review, you name it.

So I really do believe Covid did the nursing profession. It brought it to the forefront. I mean, we've always been the number one trusted profession and still are. But it really elevated the practice. The second thing is when you go through a malware attack, it shows you who is resilient in terms of how disciplines have to come together to take care of the patients and the community.

So as challenging as it was we learned a tremendous amount. And you have to be able to be prepared because what hospitals, it's so hard to invest into the software to protect organizations because it's not capital, you can't see it. Okay, so if I'm going to invest in building a new building for patient care, I know what it's going to look like.

Our organizations, not even in healthcare, go God it's going to be really expensive maybe to invest in all of this software because you don't just buy one software package and say, Okay, I'm good for the next 20 years. It doesn't work that way. It changes constantly to keep up with the threats that come in.

So not only do you have to have that component for safety, you also have to have the mocks and the tabletop exercises to be the most prepared and to say, Okay, if something were to happen tomorrow, we know we could address it. Is it going to be perfect? No, nothing's ever perfect, but at least you're prepared and people feel confident of how they're going to execute care.

Rich: There's so much to that. Something that struck me that you said a moment ago was kind of like the adversity brought out the best in people. You all of a sudden had a team around you who said we're going to figure it out, Let's go, almost like everybody knew their role or they figured it out on the fly.

Very important to have smart, dedicated, compassionate people who are in the mission on task, ready to go. It reminds me a little bit of the terrorist attacks on September 11th. All the sudden on September 12th, we all had kind of one shared goal.

The best in everybody came out, and I think maybe it's kind of the picture you're painting about what happened in the middle of the malware attack where everybody said, Okay, this is where we work and this is where we serve, and we're called to this mission.

Let's jump in and figure it out. What do we need to do?

JoAnn: And I think authentic leadership is a big part of that because you have to remind people what is the mission? And you're right. What happens is, because it's very stressful when these type of challenges happen to anyone.

Not only did clinicians step up, nonclinical people stood up and said these are our patients. This is our community, this is our hospital. We have to do the right thing here. But it's exhausting. So as leaders, you have to figure out what is going to keep your staff going.

And that's where, in my opinion, the servant leadership comes into play. Because you have to be able to assess what people need and you have to hear the voice of the workforce to understand how much they are suffering. Yeah, it was a double whammy. You had Covid because you know, as you remember, that time it was the surge kept going up.

How many ICU beds did everybody have? Are we going to have enough capacity? The nursing shortage and then you're trying to rebuild your systems. I mean, you walk away some days and you're like I really can't believe this is happening. I'm like, Okay it is what it is. And you have to find ways to stay healthy and keep going in every day and doing the right thing for people because it was challenging for clinicians and non-clinicians. It was very challenging.

Rich: You said something earlier that you reminded me of something, because I think we get on this side of Covid where yes, people are still getting sick, it's out there. But I think we've learned a lot about how to deal with it, where there was a lot of uncertainty. We didn't know when it was going to end.

We just didn't know. And then you pile on this malware attack that was ransomware involved in it too. So, there was another party. It was making things very difficult. That you didn't know when this was going to end. So, in my own head. We're sitting here recording this on a Friday. The weekend is ahead of us.

It's a beautiful fall day. You're in the mid-Atlantic and everybody's thinking about what they're going to do. That didn't end for you. You didn't have weekends. You came back on Monday, and you're like, We're right back into it. Like, did we make any progress? Did we move backward? What was that like?

JoAnn: Daunting.

Yeah, it was daunting to be honest. But, you know, I had my peers and others that we would all support each other, and you just have to chip away at it every day because , if you have the mentality, you're going to boil the ocean, it's not going to work. You can only control what you can control and you strategize on what has to be implemented, corrected first.

As you know, if you have your guiding principles, Patient safety, so forth. Go down the lesson. You stay true to that. You just have to chip away at it every day. And that's what we did. That's why it took so long.

Rich: And a very good discipline to remember as a healthcare executive to be able to have that kind of one day at a time mentality.

Because we've seen so much burnout. 800 some CEOs have left their healthcare posts just this year, and we see what's going with nursing. There's got to be maybe a rethinking of how we fundamentally, how we manage health care today with the pressures we have it can't be the way we've done it in the past.

I'm wondering, since you've seen kind of both sides now, you've been in a very dedicated, very proud community medical center and also your time at Hopkins before that and now where you are now, that's the academic large scale, even global at Hopkins Health System. I can think that there would be traits that have served you well in both sides.

What do you like about each, I think there's probably something unique about both that really resonate with you, right?

JoAnn: You know, I grew up at Hopkins as a nursing student many years ago. And I only knew academia. And then when I had the opportunity to go to GBMC, because I'd never worked in a community hospital setting they were very different because, a tertiary academic medical center. I mean, you see the sickest of the sick and you have the research aspect of it as well.

GBMC is a very special place. It's dedicated to the community. It's also dedicated outside of Baltimore County. They have primary care in the city y and Jonestown, and they're known for delivering excellent primary care. It's very comprehensive.

So I learned a lot. Focusing on the community and what a community hospital does, and I am grateful for that opportunity. It's an amazing hospital. My daughter was also born there. And it's a premier service. And then having the opportunity to be at Hopkins now in a different capacity, because I grew up in academia, I see it very differently.

Covid and how we deliver care in the United States is very different than even when I was a clinician because of total cost of care. And we are a state that has a Medicare waiver and we're the only one in the entire United States. So it is different in terms of controlling costs and being efficient and so forth.

So I've learned a lot in both places and how we do things. You know, there's countries and there's other states who are doing hospital at home. In terms of population health and how to prevent even admissions, we've always tried to do things like that, but there's such a focus on looking at total cost of care today to be efficient and so forth, because it's very expensive.

And then you got the huge component of labor, it's not just a nursing shortage there's shortages in every discipline. Physicians, nursing, respiratory, ambulance drivers. I'm like, really? There's a shortage in an ambulance drivers? And then it's not just in healthcare.

You look and see what has happened. I was looking at some of the data prior to Covid and it really, the people leaving their jobs, started even well before Covid, Covid just accelerated it. So people have kind of figured out, is it one person being able to provide as opposed to two people in a home providing for their families.

I don't think we know enough about it yet, but how we're going to deliver care is going to continue to evolve because it has to be more efficient, and if you compare us to other countries, we are very high in expense compared to others. So, it is expensive. I mean, I personally believe we have the best healthcare system in the world.

We're very fortunate. And then even looking at Maryland, I mean we have two major academic medical centers, right? You can't go wrong there. And there's a variety of hospitals in between that you can select that give excellent care as well. I mean, we're a very unique state, but I think we're also a very fortunate and blessed state If you ever get sick in Maryland.

Because for sure the access is just amazing. I don't look at it like, what's better? It's just different. And you know what an academic will do community hospitals can't afford to do and that's okay. But we are blessed to have two major academic medical centers and it gives patients choice and opportunity.

Rich: Yeah, it's like a human body. Not everybody can be the eyes and the feet and the hands, but nothing functions unless we have all the parts. So, I feel the same way. I didn't pick Maryland when I was living in California to move to I moved here because my wife is originally from here, and we just kind of ended up here.

I also feel the same way. I feel very fortunate to be in healthcare in this state with the kind of institutions we have. I think also that we're all very fortunate today to have you here to hear your story. You covered a lot of stuff. Some very practical things that people can think about if they're going to be preparing for what you've been through.

I don't know that anybody really sits down to prepare. Maybe we build the binder and we tuck it away and think we've checked it off. But you gave the listeners very practical advice today about tabletop exercises and the practical way in which you need to be thinking about this before it happens. So, I'm fortunate that you came on.

I'm glad you were willing to tell your story and we're grateful that we have access to somebody like you who's had your breath of experience to come on the show today. So thank you very much for being here.

JoAnn: Thanks for having me, Rich. It was a pleasure to see you again. And you know, it's been a wonderful time to go through.

I say that now because I really like to end things on a positive note. And even though I think our challenges in life, whether they're professional or personal, will just always make us stronger. You just got to go through it.

Rich: Yeah, no, you're absolutely right. So, thanks so much, JoAnn. It's good seeing you.

JoAnn: It's good to see you. Thank you.

Rich: Well, I really enjoyed that interview. I hope you did as well. And now I have another special guest I have with me, Mike Jackman. Mike is the Vice President of Technology here at Kermit. And I wanted to bring Mike on today because I wanted to get his reaction as a technology professional who's worked in much larger organizations than Kermit and dealt with HIPAA concerns and PHI and security and all that stuff.

So Mike thanks for coming on the show today. It's great to have you. How are you?

Mike Jackman: I'm doing great, Rich, and I appreciate the opportunity to come chat about this. This is a topic near and dear to my heart, without a doubt.

Rich: Yeah. Great. And like I said, I think you're the man to do it. So, JoAnn hit on some interesting themes.

I think it would be pretty crazy if you think about the role she was in. She was a Chief Nursing Officer at GBMC, and then she kind of inherited some operational roles and then all of a sudden found herself in the midst of a Covid plan that she was executing. Boom, she has a malware attack and not just any malware attack.

It was a pretty significant one from a group of hackers that were notorious and already known actually by the FBI. When you listen to the answers and kind of how she laid out some of what she experienced, what kind of hit you initially, what kinds of things did you think about, especially things that you may have seen in your career before you joined Kermit?

Mike: Yeah, I mean my initial reaction, knowing day and time, JoAnn was not the only one during that window in 2020. There were four other health systems that got hit all within about a seven, eight month window that we think happened by some of the similar bad actors.

So, my first reaction was empathy. I mean that we've got a leader here in an organization that is trying to stay true to her mission and has been hit with something at a point in time in our history as was noted was unprecedented. I mean, here we are trying to figure out how to do things in a fully virtual context, maintain quality of care, patient first and wham, the systems we rely on are no longer available.

And so, first reaction really was empathy. I would say the thing that came out that I heard repeated from her that I thought was great was the mission first of, the organization she's working with stayed as the principal point around all of their decisions in terms of how they were going to deal with that.

Everything came back to that mission, patient safety and patient care as job one. And I thought that was, a big point that she made. Other things that kind of came out for me, I noted that she referenced the leadership of the organization and how it really became an all hands on deck moment.

And that it was not something that was necessarily I'd say a surprise from the standpoint of, knowing that this had happened to other organizations, it sounded like the leadership was prepped, that they knew that this could happen, that they didn't like it, obviously. But they were ready to go and they knew that they needed to roll up the sleeves and get into the mud quick.

Rich: Yeah. Not just the preparation that you mentioned too, but can you imagine you've got a whole staff of clinicians and administration people who stop in their tracks. They can't do what they're used to, which is, I'm going to sit down today and log into my email, or I'm going to get on the web. Or I'm just going to place an order through one of our internal systems for some food.

All of that stops. And who do you look to as a staff person? You look to your leadership and for those people to react the way they did cool, calm and collected and go to their process without missing a heartbeat is so critical.

Mike: Yeah. Without a doubt. And we know when panic situations happen that panic doesn't solve anything.

And certainly in the healthcare space, you expect to see that. But to hear her describe that it was leader after leader that was ready to get in that war room. And I think that was a neat thing too, that I heard her mention was that, part of their planning obviously was just a physical location of where do we all go to meet, to talk about what has just happened and what do we need to do.

I thought that was outstanding. I'd say maybe the only other thing that I heard, from a reactionary standpoint that I think gets lost sometimes. Is that these situations, as much as we want them to be something that can be preplanned and we're going to do step one and step two down to, step 875 that there is no, standard operating guide that can cover all of these types of scenarios.

And so she emphasized several times, and I thought it was a huge positive, not just that the leadership was willing to roll up the sleeves, come to the war room, start working through it, but how flexible they were in recognizing that they weren't going to have all the answers and that they were going to need to do some things on the fly.

Rich: That really hit me too, Mike, when she started to talk about how it wasn't enough to have that continuity plan in place. They couldn't just take the notebook off the shelf and say, What do we do in this instance? Because that was a broad plan. But the fact that they laid it out on the table. They did these tabletop exercises where they rolled through each critical piece.

I never thought about the pieces she was talking about when I thought of a malware attack. All the pieces in ordering just meals for patients who are already on the floor, there's probably hundreds, maybe thousands of those types processes that need to now be remapped in an offline realm. To keep everything working and to have it work in a safe way.

Mike: Well, and it was neat how she talked about that and when we get into these types of events, we tend to think of them as being IT centric. And the point that came out again and again with JoAnn was, look, there's raw business implication to just the mechanics of doing business much less, the IT value that's now lost that enables, some of those mechanics.

And to that point I thought of a simple example. I think I had shared with you, knowing we were going to talk today. I was with an organization that had gone through some planning like this and had realized that just getting people into the parking lot, someone had to raise that barrier just to get folks into the parking lot to get them to the war room, to begin the discussions around what are we going to do?

And so it's even just, little subtle things that are affected as a huge cascade when you go through something like this.

Rich: Yeah, I think about Kermit, we're kind of an interesting mix of senior leadership who are more in their forties and fifties age-wise. But we have a fairly young cohort of people here for the rest of the company, and these are people that have not grown up in the era of anything but computers and cell phones.

And so when you think about preparedness and some of the best practices that you used in some of the larger organizations that you've been at and you've brought here to Kermit. Talk a little bit about how to be prepared, especially for people that all they know are computers, they're going to be quite lost if we don't prepare them for what happens when those systems are not available to them, right?

Mike: Absolutely. And you've already honed in on the most important, and I tend to categorize these things and we call them the three P's, right? You've got, people as a portion of this protection controls and systems that you may need to put in place, physical things that we do, and then process, right?

How do we bring the people and the protection controls together? To create a common strategy for dealing with, InfoSec risk and information security risk. So that first one is the most important leg in all of this, which is your people. They are the interaction, they are the targeted folks, believe it or not, in the overwhelming majority of these.

The first step that I'd recommend any organization, we've started to do that here at Kermit, and it's been done in pieces and parts over time, is educating those people. What are these bad actors? Who are they? How do they operate? How are they trying to get to folks? We know statistically still that, if you look at some of the FBI data that's out there that, over 97% of these ransomware attacks that happen, or these breaches that take place that we read about, happen as a result of a phishing attack.

It starts with that, where some bad actor was targeting somebody within the organization who ended up responding to that attack and that opened the door to potential consequence. So the first thing is educate and never stop doing it.

Who are these threats? What are these threats? How can they get in? How can they interact? But you got to do that in a culture that's positively reinforcing. So one of the things that I also noticed in JoAnn's interview with you and that I've seen in other orgs is, you want to build a culture that says, Look, if you make the mistake, we understand it could happen.

And not only that we are going to enable the whole org to report it, to manage it to help us get the identification of where we're being attacked. You can put all the monitoring tools you want out there. These folks that conduct these activities, these bad actors are savvy.

And so now you're really dealing with targeted phishing where it's specific to an individual within an organization around something that they would think is familiar. So, when we talk about that, people it's really about that education practice and then positive reinforcement within your culture that, we all have responsibility in protecting the organization.

And there's not going to be consequence for raising the flag, for saying, Hey, I think something doesn't make sense with what I'm seeing with communications, with my daily function and interacting with technology and seeing something that doesn't sound right, doesn't seem right.

Rich: And before you move on to the more intricate pieces of this plan, talk a little bit about that, maybe call it social engineering, that goes on with a hack. I think a lot of us who are business owners or maybe just in charge of an organization, but not necessarily all that close to IT, think of this as this is all dark web stuff, right? These are hackers out on the internet that if we click a link, we are exposing all this information.

There's an aspect to this that could be socially engineered too. If you really want to target a specific organization, it's actually much easier to stand in line every day at the lunch place when you have employees coming through from that organization get to know one of them. Strike up a conversation and figure out where those vulnerabilities lie. It's not all just online activity that goes on.

Mike: No, it's not. And when we talk about social engineering, understanding people's habits, practices, likelihood of what their types of activities are.

These are all things that to your point can happen in an offline setting. That can help set up the staging for an attack. But you know, when we talk about online now, just go out and Google search yourself. And you're going to find that your information's available in multiple sources, whether you're dealing with Zoom info or your corporate contact info.

It's all publicly available now. And you take that combination of available data, both online and offline. And these bad actors now can come in and say, Listen, I know you're in this role and that you have an interest in this, and all of which is true. And so it starts with truth which then leads to a specific attack and leads to the mistake.

And that's where that education piece is so important because you can't patrol the entire internet and you certainly can't prevent from sharing you know, who you are as an individual because of this fear.

Rich: Yeah. Without giving away all the secret stuff you're doing for us here at Kermit, which is really cool to keep us safe, what are the best practices when you think about protection? I know there are a lot of different things from where you start to where you end and nothing is perfect, but can you give the listeners a high level things that they should be thinking about?

Mike: Yeah, absolutely. The first thing is thinking about risk posture related to the tools that you may have in the organization when we talk about protection and your policies, right? What are the policies that you have? And so the first thing that, I would kind of hone in on are things that, help regulate identity access.

And so today there's a very common term that's out there called Zero Trust. When we talk about, network and network access we want to assume that nobody's allowed to access and that we want to prevent that access without specific permission, without going through a specific process.

So having a Zero Trust policy right out of the gate. And that's gotten so much harder with cloud and cloud technologies where folks, now can get to networks and network domains and access in a plethora of ways, whether you're talking about tablet, cell phone, laptop, it's even stunning at this point where, there's organizations that have vending machines that access their networks to the point that you're entering your credentials into a vending machine to get your Coke or to get your candy bar.

And it's crazy. The Internet of things has opened up that the ability to allow multiple device at any point in time so Zero Trust is a big deal. You don't let a device access your network that you're not aware of, and that has not had to go through a specific process and a specific protocol.

So that's kind of the first thing. When we talk about non device types of things that we can do, we want to encrypt all our data. There's just really, in today's world, no reason for the data and data stores and the way that data is maintained and managed for it not to be encrypted and, it's minimum 256K when we talk about that, it can go higher.

Certainly there's all kinds of tools out there that can help you with data encryption and the management of data. We want to make sure that we validate the use of that data and access to it as we kind of talked about it here in multiple ways. So very simple things like multifactor which is where you're asking a user or a system to identify itself in multiple methods to ensure that we have the correct person or system getting that access.

When we talk about users and user provisioning, one of the things that we've talked about, here at Kermit and other organizations I've been with, is role-based provisioning specifically around PHI and PII.

So, what does that mean? Not everybody needs access to all PHI, right? It may be that I need the patient demographic and that's all I need because I'm doing some analysis work of some sort. It may be that I really do need patient name and address, et cetera, but you want to compartmentalize that information and you want to set up your team and the folks that are accessing that against a policy of minimally necessary information to get their function done.

And that's really easy to do today. There's lots of ways that you can segregate the data and allow data permissions, data access within your applications within your infrastructure to enable that. Other things you can think about, segregating those data sources is a big deal. And that helps kind of that previous point of isolating the information and making it, minimally usable.

You can do things like zoning within a network. Again, create network zones that isolate that information, those applications, et cetera. And then the last thing that I would recommend, when we talk about the protection side of it is, again, under the assumption things are going to happen. You want visibility as much as you can get to the access to data, the usage of the data, the move of data within your network, within your organization. Almost all of these tools, both hardware and software side enable logging and they can tell you what's happened down to the bit. It's pretty incredible.

And some cases, cost prohibitive, but there are lots of tools you can put out there, even just local client side that let you know what's happening with access and movement of data. So, you want to have those controls in place so that not only you're stopping potential move and access of data, but you can see what's happening when you've allowed it. So, those are kind of the protection category and there's lots of things that you can explore.

Rich: So I could recall being in charge of an IT group at another job that I had many years ago. We were just kind of starting to learn about information security, what I recall back then, there were just a few tools you could leverage and they were all fairly expensive, and you had to kind of pick and choose how much you wanted to go after based on the budget you had.

You may have a philosophy that everything is important. We shouldn't worry about cost because information is worth more than money these days and we should protect it. But have these things gotten cheaper? Are there more competitors now? Is it just as easy to encrypt all of your data as it is just your sensitive data? What's your philosophy on that?

Mike: So that's a great point, Rich, and as the proliferation of the attacks have taken place and these bad actors are bigger, broader more capable. This information security industry on the technology sides responded. And it's responded with tool sets that our enterprise class all the way down to small business tools.

And so I would tell you that there is a set of tools, a suite of tools that is cost manageable no matter what size organization you are. To help be proactive in getting and enabling tools to stop these types of things and become aware of the players out there, like Microsoft. They offer a defender suite at the client level. It's free!

That's an easy one that can be enabled if you're a small business all the way up to say something like a CrowdStrike where you're managing your cloud endpoints in a third party model and they are actually handling all the security controls around access and monitoring.

So, there's a plethora of tools out there. We could do a whole other podcast just on what are the options. But the answer is yes. If you want to go do this, be proactive in addressing these things. There are things out there that are not cost prohibitive that can give you a degree of protection. Without a doubt.

Rich: That's good to know. So, as we put a bow on this show, why don't we leave the listeners and the viewers with kind of some practical things. You're a leader here in the organization. You're speaking with both healthcare leadership maybe there's some other folks who are listening, but what's the practical way that you would implement this as a leader? What are kind of the big things that you think about to build a process around this?

Mike: Yeah, so I think the first thing is, kind of what you just talked about is that leadership's got to be willing to just talk about it. Hey, do we have an InfoSec strategy? An information security strategy? If we don't that's the starting point. Being honest about what you've already discussed and what you may already have in place. And if you don't have a strategy, you need one without a doubt. I mean, the bad guys are planning right now. And you need to be able to have a plan that's going to respond to that.

So be deliberate about that. Put that out on the table. Ensure that you're building a culture of no fear around that discussion. Because one of the things that can happen is, within your leadership base, folks know they'll know where their vulnerabilities potentially are, where their gaps are, where they've got folks that may be easy targets for that phishing piece we talked about.

Just be honest. Where are you at in terms of your strategy? Discipline with your planning approach too is really important. So don't make this a one-time event. A lot of organizations I have been with in the past, they'll wait for an incident before they start moving down the path of talking about information security.

Don't do that. Be proactive. Again, know those bad guys are out there and they're planning right now, so come at them.

Rich: You wouldn't leave your driveway in a car without car insurance right? Hoping you don't get in an accident. It seems really logical, but maybe this is one of those areas we just don't like to plan for it because there's so much documentation and we have so many other things to do. But I'm hearing what you're saying. It's really important.

Mike: Yeah, it is. It's critical. And so that planning piece, we want to get out there. I think there's a degree of humility that's got to happen to, and I kind of touched on that a little bit. Again, you're going to find you've got holes and you may also find that you don't have the internal subject matter expertise given how sophisticated these things are these days.

And the tools that are available to people that want to harm you from an electronic standpoint. So be humble as an org if you don't have the subject matter expertise, it's okay. As we kind of talked about, there's a fleet of resources out there now in terms of being able to go bring in some of that expertise, but no, to that very point you just met. If you don't spend the money in the insurance policy and the accident happens it's going to be significantly more costly on the backside without a doubt.

Other things that I would tell you is that, you want to build a culture that assumes that the bad event has already happened. And that way you've got folks that are already on guard. You're putting your systems in place to manage for that likelihood. It isn't whether you're going to be subject to an attack or whether you're going to be subject to a breach, it's likely already happened.

And I actually picked that up, that was a neat thing that was in a little CIO course that I took a few years back that said, Come at your information security as though it has already happened. And that gives you a chance to bring much more proactive approach to the way that you're going at it.

And then the last thing that did come out in JoAnn's interview is practice. Go through, not only the planning of your disaster recovery plan of your business continuity plan, but have real life scenarios in there where you can practice and even consider paying third parties. So one of the things that we look at both at Kermit and other orgs is external penetration testing, which is, code for paying somebody who is a good actor to pretend that they're a bad actor and let them test your perimeter, let them test your controls and see what you get. Be willing to step into those types of things.

But practice is really important. So you create your plan, you want to make sure that it's documented, you want to make sure you review it. I'd recommend on a quarterly, that's what we do and other organizations do. And then you want to practice, you want to set up scenarios and really go through and test your plan and see if it's going to meet the need.

Rich: Mike I'm really grateful for you being on the team here at Kermit. I'm really proud of the work we've done together as a company to ensure that we're taking this very seriously. As serious or more so than even the big hospitals that we work with. I mean, this is a big issue for us.

So, Mike, thanks for being here and for spending a little bit of time to talk about the interview we just heard.

Mike: Well, it was my pleasure, Rich, and thank you for having me on.

Rich: So that concludes this episode. Another one is in the books now of the Healing the Hospital podcast. I want to thank JoAnn Ioannou for being this episode's Hospital Healer. She was fantastic.

And to stay up to date with everything that is the Healing the Hospital podcast. Follow us on LinkedIn and YouTube. These links and more are in the show notes. We want to bring the stories of Hospital Healers changing things for the better. So if you'd like to nominate a Hospital Healer to be featured in a future episode, visit kermitppi.com/healingthehospital and submit the contact form that you'll find there.

And if you're enjoying The Healing The Hospital podcast, be sure to subscribe so that you never miss an episode and leave a five star rating wherever you listen to your podcast. Thank you so much for spending part of your day with us and for listening to this episode of The Healing the Hospital podcast.

I've been your host, Rich Palarea, and I'll see you next time.