Healthcare Industry Career Search Panel

welcome back to higher ground this is yes it's kathleen ring master of higher ground one of the things that i really am enjoying about the virtual summer camp this year is we're out able to delve a little bit deeper into career tracks and by this i mean whenever i talk to someone about their career they're thinking that they're just going to do pen testing or they're just going to do you know forensics but they don't actually look at the specific industries and there are so many industries that overlay into security so today we're really going to talk to two of my dear friends in the community who have been ankle deep eye deep over their head

into health care and what's really interesting is that they've overlaid not only their security backgrounds but their privacy backgrounds and really opening up the door to what kind of careers that you can look at being a security professional and helping the healthcare industry welcome to besides las vegas 2021 the virtual edition this is jesus kathleen and i am the ring master for higher ground one of the tracks here at besides las vegas 2021 we always focus on career search and career development here in higher ground over the past few years we've really focused on search techniques understanding hiring managers and really understanding yourself as you're going into career development this year we wanted to focus a little bit more on some key

industries and what you need to do to get involved with specific industries in information security i am honored and pleased to be joined by two of my colleagues who focus on health care information security and have them share with us some of the things that they have encountered in developing their career within healthcare information security and their recommendations to you if you want to move into this new field so i'd ask my panelists to introduce themselves sushi you want to kick it off sure hi my name is tsuchi smith appahi i've i'm a data privacy and cybersecurity lawyer and my specialty is in health technology and healthcare i've been in the field for quite a long

time according to me but i think it's like a decade so or maybe 13 years anyway so i've been around seeing a lot of things in the hell you know traditional healthcare and then health technology and the disruptions and stuff like that and worked with some amazing security folks and worked with some folks who are really on the trajectory to being amazing so i'm really looking forward to this conversation and sharing what i know with y'all and mike murray has always been part of higher ground really sort of focusing on career development for mid managers so i'm really excited to put him more on the spotlight right now uh focusing on health care so mike

you're interested so um thanks kathleen and and i know you know but i'm always excited to be a part of higher ground and uh speaking to this audience but you're right this this time we're talking a little bit about something that's in my wheelhouse so um for those that don't know i'm the ceo of a company called scope security which is a open xdr platform that services only healthcare delivery we we sell to hospitals and health systems and people who are delivering care and i came to healthcare a a long way into my cybersecurity career unlike sushi who sort of started in healthcare i i started out as a you know hacker pen tester vulnera

researcher back in the 90s and have worked all kinds of places and ended up coming to health care later i ended up after i exited the last company that i started which was called mad security in the hacker academy it's actually two companies but long story there ended up through a bunch of serendipity taking over um pre-market medical device security at ge healthcare and walked in the door and learned that really security people don't know anything about healthcare and i was sort of patient zero in my own experience that i was the person walking into these rooms talking about things that security people knew and realizing that that didn't necessarily work with uh how healthcare actually

worked and so got really into uh understanding what our customers were going through and eventually decided that i somebody needed to go start a company to solve some of their problems and ended up being me and so here we are but really looking forward to this panel and and to all the conversations we have so we have two different trajectories going into healthcare information security so sushi take us back to when you first started thinking about getting involved in health care and share your career path a little bit more detail so that people can see the trajectory that you've taken and what really interested you in going into healthcare information security yeah um mine is kind of random so i like

to say that i just fell backwards into my career and i think this might resonate with quite a few folks who are thinking about healthcare security so um in university i was studying to be a doctor then i took a health policy class and i realized that there was a lot of information that was lacking on data privacy and data security from folks were really established in the health policy field and so they just didn't have a good grasp of technology and what it really meant for um health privacy and security going forward and so after taking that class i did a brief stint in health it which only confirmed everything i thought was going on when i was in the

health policy course and so i went to law school i focused on privacy and because i'd been working in the healthcare it industry before it was easy for me to decide to just specialize in it because i had all of the background knowledge i needed to understand the healthcare industry itself and who needed to send data where and why they need to do it and what was more important um and that's what i've been doing for the past several years and then i moved into health technology which has been an interesting experience that i'm sure we'll touch on later where it's it's navigating folks who really know technology uh but who really don't know security or healthcare and getting them

on the same plane so and mike you you mentioned a little bit earlier about you know that you were at ge healthcare but you know sort of again share your career path what got you interested in healthcare and what were some of the the milestones throughout your career that led you to starting your own company so so i knew i was going to start my own company i started my first company at 19. uh that had nothing to do with technology i i put myself through college teaching kids how to play hockey i'm canadian and so hockey sort of is a thing with us um and so starting a company was always just things that i did my dad's an

entrepreneur and and it just was a thing that that was always in my kind of dna but um specifically around healthcare it's it's such an interesting journey for me because um what i really learned when i got to ge was just how little security people and tsuchi just said it but i'm i'm going to show my own ignorance by telling some of my most embarrassing moments of my early time at ge healthcare security people don't understand that healthcare is just different i will never forget i'd i'd been at ge maybe six weeks and um and sorry i just i got can we edit this part out let me pause for a second um i actually went down a road and then

i was like nope i want to tell the ge story and then i'm coming back down the road yeah sorry got mixed up there for a second all right so i was about six weeks into my time at ge and i was sitting in a meeting and we were reviewing a medical device and it's it's designed for security and i asked about authentication i said okay what's the authentication and access control control strategy for this device and the designer of the of the product said we don't do authentication and and i said as every probably person watching this would um that's not a good thing like we need we need the very least usernames and

passwords but it probably needs to tie into the enterprise sso strategy and like where's your authentication and and i pretty much monopolized this meeting talking about the lack of authentication on the device and then we left the meeting and this sort of older you know gray-haired long ponytail old biomedical engineer pulls me aside and he said mike you don't get it that device is only going to be used in an operating room or in an emergency room do you want the doctor to forget their password if you're the one bleeding out on the table and i went oh all this stuff that i know from all the other things that i've ever done maybe they don't apply here the same way

that i expect them to so i should start to learn about how these people work um and and that was really where i started to really become kind of a healthcare person if that makes any sense because that that's that's the moment where i realized that maybe security people don't have all the answers and we should go listen to the people in our business so that really delves uh great into our next question which really talks about what was your technical and non-technical background and how did that help or hinder you as you moved forward in your career so i'm gonna have you mike sort of carry on with that and then we'll move over to

sushi so can you sort of expand a little bit more about the technical non-technical background and and what you saw helped you in your healthcare career and what sort of was it yeah so i was always a bit of a i've always been a bit of a generalist in in that way i'm pretty good technically and i've you know i started out as a phone researcher writing exploits so so i have i have a certain level of technical depth but somewhere early in my career and you've seen me talk about this at other uh b-sides las vegas higher ground talks but um i realized that if i wanted to be successful at a at a broader level no matter how

great an engineer i was it was it was always going to be better if i could get teams of people to do things for me and and realize vision that way than that i would ever be a good enough engineer to do those things on my own so i started developing those skills early on of management and and leadership and understanding the business and all of that sort of thing and when i got to healthcare it was so important that i had those skills because i realized that we as an industry like you really think about the security industry and the evolution of it the majority of what we started doing was securing banks and financial

services and the like and the practices in financial services and the government have always been sort of assumed that those will work anywhere right you know well banks do it that's that's the best security there is or you know dod does it or the nsa does it that's the best security there is so we should be following that model and unfortunately a lot of those technical skills are great but they have to be modulated for the business right what works on an oil rig doesn't work in a hospital and doesn't work in a bank and and until you're able to engage with that business and apply those skills in a new context it's really hard to

move into a very specialized industry so i was really lucky to have some of those skills and i was really lucky to have some mentors especially inside of ge who were willing to take me aside and say you need to re-examine your assumptions and you need to apply apply these skills in a different way to this industry that needs unique things great and sushi when you were sharing your career path earlier you really talking sort of you did some i.t but you also were working more on policy so can you sort of expand upon about you know how much of the technical background you used and how much of the policy background and and which sort of

shaped where you were going next with your career yeah um so i've always been a little bit of a curious person and that's really helped me out with technology because i'm not a technical expert and as a lawyer i i rely pretty heavily on my technical experts or team members to make sure that i have risk analyses correct um you know a full understanding of the situation so it's really a partnership between me and the security team or the engineers or whomever i'm working with who's more on the technical side but um i had to have at least a basic understanding of several things like what the data formats are why would why we would be exchanging

data in certain contexts um and and something that mike uh touched on that's interesting to me is the idea of the financial industry being sort of a like that was the the barometer for security whereas as someone who's been grown in the healthcare industry you know i would never even in the legal world legal privacy world i wouldn't say that hey i've done care so i can definitely also do uh financial industry like i couldn't do that because i'd have to go in and read all of the regulations figure out what the definitions really mean all of the case law and then find out what the nuances are from partners who've already worked in the field or people who've already

worked in that specific financial field so that was mike by the way super fascinating to me um can i can i tell you can i tell a story i was literally i was talking to a healthcare cio that said that one of the vendors that that we all know one of the big vendors came in to sell to him and sell him security products and and the sales pitch of the person that walked in the room was and i quote this is a direct quote from this healthcare cio we work with all the big banks in the world they're better at security than you are you should work with us that's the way that we treat healthcare

security executives as as an industry oh it just doesn't work it takes like the entire patient provider hospital the hospital i mean there's so many arrangements that suddenly exit that scenario but um i guess so to really address the question kathleen i didn't have a strong technology background like i didn't train in it i was a neurobiologist and a political scientist and that was my undergrad and then i went into health policy work because of an obama initiative and learned how to implement electronic health records systems and that meant reading through a lot of manuals asking people who were actually in cyber security questions and and getting an understanding for the field so i didn't need a tech background

to get into health data privacy and cyber security as a lawyer however it has been incredible working with the newer lawyers in the field who do have that technology and security background so if we had more you know uh born and bred technologists who are moving into the policy regulatory lawyer space then it would make my life easier or the general counsel's life easier the ceo's life easier so i i encourage folks to get into this field wonderful so one of the things that we always hear when we're you know doing about doing a presentation about careers and career trajectories is the education in the cert so let's talk a little bit about what are

the certifications that you think you need to have in this or don't need to have or what is some of the community involvement that you need to do to sort of advance your career give yourself a really good foundation so sushi you want to kick it off with that yeah and um i would love to kick that off so i i have a rather poor opinion of certifications and i will defer to mike on on security certifications specifically because i don't have knowledge of how hiring works from a security perspective for a security team with certs um from my perspective if you're pursuing a cert and i don't know of any that really will get you into health security

it's better to just learn about basic things like what is protected health information and what is hipaa who does it apply to after that you'll learn the rest of it in your job and ideally you would learn all of that on the job anyway so for me um certs don't mean anything they're typically an amount of money that's taken out of your pocket for someone else's pocket and you don't get a value add out of it [Laughter] and mike what do you think um about various different certs or what are some of the things that you would recommend people be involved in other than yeah i'm gonna get myself in trouble here um i always love when we're recording these

and uh you know i have to parse my words carefully a little bit um you know one of the the last company that i started we did a lot of training we did a lot of certification work and and i i actually agree with sushi completely i'm not a huge cert fan and and especially if you want to get into healthcare security um i think it's actually i i mean we know that ise squared has their cissp for healthcare i don't remember what the exact acronym is um you can tell i don't have one and it's not something that i require to come work at scope because because honestly i think sushi got it right

like the the rules for security are pretty much the same everywhere it's really how do you apply it to the business and how do you understand the business and and to me um there's two there's two things driving the healthcare security market one is healthcare security talent is really hard to find and almost every ciso or cio that i talk to in healthcare is desperate for security people who want to work in healthcare so it's not like you know you're competing with a huge number of other people who all have the same credential but there's lots of opportunity if you want to work in this field you just have to be willing to and the other side to that is how you

get good at it right and it's not by going and taking you know reading some book and passing some multiple choice tests as sushi said it's about it's about immersing yourself in their business um the the groups that i would look at is less the security folks right i'm i spend a lot less time talking to isc squared than i do talking to hims uh for those that don't know hims is and i don't remember the acronym off the top of my head but actually this year it's really interesting hymns is actually in las vegas right after black hat and defcon so i'm going i'm actually flying out there to go to defcon um and we'll be at defcon you know

friday saturday sunday and then hymns monday through friday the following week so if anybody wants to be in healthcare cyber security stick around an extra couple of days if you happen to be on site and i guarantee you there's lots of opportunities at hymns but hymns there's a group called chime which is the association of healthcare executives there's a group called the ach um these are these are the real healthcare industry organizations that will teach you how healthcare works and to understand like what sushi was talking about you you can tell when somebody's in healthcare when they say payer provider like it just comes out of their mouth really easily and then you realize that there's a lot of

people who don't know what that means right and that payers and especially if you're not from america payers and providers is a divide that really only exists in this country because payers is what we call is what we we mean by health insurance companies and providers is health care delivery hospitals doctors offices things like that but those are the things you have to understand when you walk into healthcare organizations and talk to them about security if they start saying the you know the 18 factors of phi and your eyes glaze over because you don't know what the heck they're talking about that's what's going to make you successful at your job much more than some certification

yeah and i think sorry kathleen i was i was going to give a plug for him when i was in health it it was indispensable because you could go and meet the folks who were involved in cyber security in the healthcare world i think it's like health information management security systems or system standards something like that and so they have chapters everywhere so you can get involved get to know the players in the field because the field is so small you'll know everyone in it within like a year um and and it's really helpful everyone's very helpful the healthcare industry is generally a collaborative collegial place to be that sounds great i know a lot of people

who would be very interested in being part of a collegial environment that's you know protecting the security and information security of patients and doctors and nurses when we were all talking about this earlier we sort of were coming up with that this is very mission oriented career path that um you know in one of my previous careers i was involved in non-profit fundraising and marketing and and i thought that i was supporting a mission and yes it was a mission but it wasn't a mission that i sort of felt that changed the world but when the three of us were chatting earlier we sort of talked about the mission of healthcare information security so i just want to have the two of you sort

of talk about you know how do you become successful within healthcare information security and is it really tied to a mission so sushi um i think being successful in healthcare security means being open to continuously learning um being aware of the context and then being very very creative and i say that because a lot of times the medical industry does certain things a certain way when it comes to data and security and if you're working in healthcare security you have the opportunity to say hey we can do this in a better way but to be able to say that without coming across as some like young stubborn upstart from another part of the healthcare or another part of the security industry

you really have to to understand the industry and what they're trying to get to and who the end client is because the end client is probably not the person you're working for the end client is going to be the patient right that's great so uh mike a little bit more about how to be successful in this industry and you know is it mission oriented is it semi-mission can be i i i think it really depends on where you are and what drives you so i mean kathleen you know me i'm very mission oriented right i make the joke all the time that i could i could have gone and started any company right i could and and if i

wanted to be like you know the the the next elon musk or something starting a healthcare cybersecurity business probably wasn't the path to eat the easiest riches but for me when i look around the security industry and i think what do i want to spend my time doing it's where can i make the best impact on human life and securing a hospital is far more interesting to me than securing you know a bitcoin uh depository or something you know like to me that's that fits with what drives me the other side to it is and sushi had it right there's a lot of just intellectual challenge that's really interesting in healthcare healthcare has a diversity of challenges that i haven't

seen anywhere else you know very there's lots of networks that you don't have windows 98 and windows xp still in massive populations um that's not true in the hospitals right almost almost every hospital you still find some of that you'll definitely still find windows 7 everywhere old linux boxes and then figuring out how to secure them because you can't put any software on them because they're fda regulated medical devices so all the tools that you're used to having just aren't available to you and and as sushi said the uh the opportunity to be creative is really uh there in healthcare but you have to be willing to understand how they work and you have to be willing to understand

what they're up to so whether you're mission oriented like me or not and and you know that like that's what drives me but in a lot of situations i think you could just find that it's a fascinating place to work too right so mike you brought up that um example of windows xp on all of the devices and i know everyone probably is cringing in the audience but can you sort of delve into that a little bit more about analyzing the the business investment the return on investment and the risk you know what what is that sort of balance that you have to play being a security professional within so so you have to realize that

healthcare isn't one technology environment it's three it's traditional i.t stuff which looks a lot like what you get in anywhere right like there's laptops and desktops and switches and routers in healthcare just like there is everywhere else then there's the entire care delivery workflow or clinical technologies you often hear it called biomedical technologies people like to call it the internet of medical things which i feel like is just too much marketing for me to actually use but um but like all of that stuff is is much like you see in any sort of operational technology environment you have long life cycles for things right a top of the line ct scanner can cost anywhere from

eight to fifteen million dollars well you're probably not replacing that every three years right if i'm gonna go spend you know eight figures on a device i'm expecting that device to last for 20 years well think about it if i built a computer in 2004 expecting that it would last until 2024 it's probably a pentium 3 right with with a couple of maybe a gig or two of ram and it's running windows xp and it might even be running windows 2000 but that's still in use today because it's still a valid ct scanner and it's and and nobody expected to buy that and swap it out every three years and so you know the really interesting thing in

healthcare um and i i mentioned there's three environments the third one is the electronic health record system and sushi was talking about which is its own set of challenges and we can talk about in some other time but but the idea that you're going to buy all this incredibly expensive equipment i was talking to a cfo from a uh health system recently and we were talking about his and i quote windows xp problem and he said i have i have about a hundred million dollars of devices that are running windows xp right now and my security team says we've got to replace them all and i'm like where am i going to get 100 million dollars to replace all of these

like we we don't make that much like we're not that big a business and you start to understand that that these this equipment has to keep to stay in use and that us as security people walking around going that's windows 7 you can't patch it take it off our network that that's a good way to get yourself hated really fast as a healthcare security person so we we touched on this a little bit earlier and i'm going to turn the floor over to you sushi as far as healthcare privacy so we're unfortunately lumping you know healthcare privacy in with healthcare information security but you know i think that data records the electronic records understanding that there is so many

different transfers of information between the payer the provider the patient how do you navigate a career so that you are understanding healthcare privacy but also becoming successful at it yeah i actually think the answer to that is going to be exactly the same as it was before but there's some additional context there in in the healthcare field you can't have a successful healthcare privacy program without a successful healthcare security counterpart and i'll give you an example of why that's the case um a long time ago when i was in private practice there was a medical device and and the way the medical device works is that the doctor would say hey patient you can go use this medical device

here's the prescription for it here's the place you go here you pick it up these medical devices were reused by patients when they're done with their course of treatment they would turn it back in and for more context about medical devices they're um the companies that create these medical devices are not required to send updated software to the medical devices so frequently you'll get something in 1999 or 2000 or whatever and nobody does anything to it from a security perspective regardless of all of the sensitive information ever right so for me that's a huge privacy problem because here's what can happen and this is what did happen you know three of the patients who were

so patient number one uh used the device patient number three was able to see patient two and one's information just by rolling up a little switch and clicking on that profile button and that profile button had first name last name date of birth and then all of the measurements and i think it was like o2 measurements or something like that so under hipaa which very like specifically defines what creates an incident um or a breach it's risen to the level of a breach um that's a privacy problem but it's also a security problem because the security person could have looked at that and said hey you know maybe we should find a way to erase the

data or wipe the data or maybe we shouldn't be doing this at all and um it's that type of creativity that that creativity and awareness and ability to really work around these weird uh frameworks that you're stuck in because the fda isn't doing anything there's a huge movement to get medical devices to be more regulated and to be more secure but that's been in play for a while so you the security person or the private person are stuck going okay what can i do to minimize this risk and and make sure it's practical so i don't end up on the front page of the newspaper so sushi you bring up a really good point as far as

regulations and it's interesting that there are so many different security sort of careers that have some impact by regulation so we have health care we have finance we have gambling we you know a few others so in your creation of your career how much time have you had to spend researching regulations and how much of your time do you have to spend keeping up to date with that because obviously you didn't have to get a certification but you do have to get a certification and understanding all the regulations all the time yeah um it's like a second job which might be kind of a scary concept um i have my day job i also have several newsletters i use

twitter pretty aggressively to get information especially from the infosec cyber security incident response world um i'm always consuming information and you you have to do it because the landscape is changing so rapidly and you want to be aware so an example of that is ransomware was sort of a thing back when i was in private practice and over the last three and a half years it has it has hit like some kind of like mess i don't even know it's a wild ride all of the lawyers i know in cyber security in the healthcare space are really worried about ransomware because there have just been so many successful attacks and so part of my job is going okay hey

i know this person who's doing a panel or doing some kind of webinar so even though it's in the middle of my work there after my work hours or maybe even before my work hours i need to show up for that so i'm in the position to give the correct guidance to um my privacy team or my legal team or my c-suite and and that's happened several times like there are several times where i'll see something on twitter and i'll ping my security colleague and say hey did you did you see this come down and does it affect us and are you worried about it and sometimes it's nothing and other times it's been yeah we need to

look into this uh there was bulletin that went out like that kind of constant awareness is absolutely necessary awesome so we've sort of painted this picture of the healthcare industry as you know a creative challenge one that has a mission component if you would like to have an admission component i'd really like both of you to sort of point out what are some of the challenges you encountered that most people outside the industry wouldn't even consider we've touched on several of those but maybe recap those might yeah and i think it's going to flow really well from the last one because i i think it's it's really important to understand that within healthcare especially understanding the regulatory environment

really helps you understand a lot of the technical decisions that are made within hospitals and understand a lot of the challenges that they face to sushi's point about the fda the fda has only had cyber security guidelines um since 2014 for um for pre-market guidance in 2016 for post-market guidance and the challenge for that in the industry is if you see how medical devices are designed and built it takes about five years to get a medical device to market so the devices that are coming to market now are the first ones that have ever been built with cyber security regulation everything that's on the market right now pretty much was built in a time that no cyber security

requirements were required when i got to ge we hard-coded the root passwords to all of our of our linux-based medical devices you could not change them and we printed them in the manual and that was not legally a risk that we were doing so in fact it was accepted practice at the time and and so you walk into healthcare and you go why is this all backwards and why are all my root passwords for every device on my network printed on some pdf on a website and then you figure out how to secure that right there's a lot of things that don't make sense until you actually immerse yourself into the healthcare ecosystem the ehrs

are my favorite example you know the medical device manufacturers are regulated and required to actually publish vulnerabilities and publish patches the ehr vendors aren't so one of the major ehr vendors put out 50 security updates last year that same company has one cve in the history of the company which means there's not one security product on the planet that knows how to detect the vulnerabilities and exploitation against that pro against that massive product that is worth billions and billions of dollars and holds literally every health record in this nation pretty much and when you start to understand some of these challenges in the regulatory space and why some of the practices for certain parts of the software

environment and the technology environment and why some of the practices in healthcare are the way they are that's when you get to be creative but the real challenge kathleen to your question is you've got to be willing to understand all of this stuff and really immerse yourself in it before it starts to make sense to you why things are done the way they are and only then can you really change those things and and it's it can be a hard road and it can be a frustrating road especially if you are not willing to really like examine yourself and examine your own practices and and and really think about why people are doing what they're doing

so it actually sounds like you have to be a little bit humble to go into healthcare security um you know a lot of us like being you know top of our game and we'd like to know it all but it you even got someone to pull you aside to say hey you're not mr know it all in in this industry you've got it all backwards so sushi what are some of the challenges that you know you've pointed out some of them but what are some of the other ones you think that people who are looking outside in would not even consider and that you encountered and you were able to work around yeah i think

the big one is really like you know and we're we probably said this like 50 times already but i'm going to echo it again it's it's what mike said like you really have to understand the business itself and the structure and as a privacy and cyber security lawyer in this field that often means that i need to understand more of the corporate stuff or more of the marketing requirements or things like that before i can really give guidance because all of those regulations also play in on the privacy and cyber security regulations and so the best colleagues i've worked with and most of the security folks i've worked with are amazing but there's a difference between intra-level

healthcare security and your management or senior management or your c-suite and the best folks that i've worked with are the ones who can sit in a call and say okay you've given me a lot of new information um here are the you know options that i'm thinking of and here is what the risk looks like and then are willing and able to take the feedback that they get from the other people sitting in the room who may have a more in-depth background on the various things that they're weighing and and do it in a way that doesn't make them feel bad about the fact that they're maybe not the most up to date or they don't know that

nuance because you cannot know everything as one person in the healthcare security or the healthcare primes field like you have to be open to being wrong or you know just somewhat off or whatever it is like you have to be able to have that patience and growth mindset and if you do the success is is going to come so easily and that's true for the junior healthcare security folks as well well we've had a really great conversation here i'm really excited you know especially now as we're coming out of the pandemic and people are really looking at healthcare in a variety of different ways that we've been able to introduce this topic here at besides las

vegas 2021 higher ground i wanted to ask both of our panelists what are your final career recommendations for our audience too and i would like this in two classes but the first is someone who is just new to information security and is considering a new career path and then someone who is an experienced information security professional but would like to switch careers into healthcare so sushi kick it off yeah um so for both it would be to get that hymns membership if you're already experienced get it sponsored by your company if possible um and show up and listen or be part of the problem solving so that's the first one i think the second one is is for the

folks who are new don't hesitate to ask folks you know in healthcare security for um you know what their playbooks look like because that's information that can be shared in healthcare security without any real restrictions and then for folks who are experienced i think it's you know if you're trying to transition from an experienced position at infosec to healthcare infosec it's really diving into what is the difference and why is it so important and again that's focusing on what is hipaa and how does the healthcare industry work mike so i think there's there's two parts to this and i'm i'm gonna give a blanket thing before i before i split it the way that you were

thinking kathleen which is there's there's two things that we haven't covered a lot of today which is we we've been sort of talking as though provider systems and and hospitals and and the like are kind of the end-all be-all of healthcare but we're in a really exciting time for healthcare as well um there was more venture capital investment in health tech startups last year than in all the previous years combined as far as i remember the statistic is something like that um tsuji works at a health tech company right now scope is a health tech company we are we are not a traditional hospital but there are a lot of ways to work in healthcare that aren't necessarily

the same as working in a hospital itself that said i think working in the actual health delivery organizations is really fascinating especially as an early career person i um i've always recommended to people early in their career to find jobs that are going to be very expensive that are going to require you to learn a lot of different things that are going to require you to be on diverse teams rather than working on this massive team where i do the same task over and over and over again you know for 18 months and then add one more task 18 months down the road like i think that one of the best ways to grow early in your career

is to take a job where you're asked to do a little bit of everything across the entire environment and that is the definition of every hospital security team i've ever seen right you're you are you are working in architecture you're working involved management you're working in policy you're working in incident response you're doing all of it and so early in your career and especially early in your career the hospitals and health systems can't get enough early career people to come take those jobs great place to go work great job to go do great things to learn later in your career we talked a little bit about the mission orientation but especially to sushi's point about

how how cohesive the executive teams tend to be and how interdependent everyone is because i don't know very many security people who are also medical doctors who understand what all of the execs around the table understand um whereas you know in lots of other jobs security people you know like when i was at lookout my security skills and my tech skills were similar to a lot of the executives around the table that's very different than in healthcare right the other executives have totally different skill sets and so if you want to work in an interdependent way where you have a really strong team and you get to like rely on other people and not have to

kind of be the smartest person in the room healthcare's a really great place to do that as long as to kathleen's point you're humble enough to do it well thank you sushi mike thank you so much for joining me for this conversation i really wanted to enhance higher ground this year to delve deeper into specific career tracks for information security professionals and you both provided an excellent conversation thank you so much and thank you to all so good evening and welcome to our last panel of higher ground it has been so exciting for me to bring these panels to higher ground because we all know that security is fascinating and we know that we are protecting

so many different assets but one thing that we haven't been able to explore through any of the cons is the various different industry silos industry paths that people can take we explored earlier about the finance security panel and i really appreciate all of those panelists coming together right now we're talking with two of my friends sushi pajay and mike murray who not only are fellow security professionals but also fellow drinking professionals so our first question red wine for most of us so anyway our first question that we have from the audience is many healthcare delivery organizations need this mashup of skills between cyber security and healthcare do they do these organizations know they need this how can they find

the appropriate people this seems like a recruiting problem that's worse than many other cybersec specialties so mica going to have you address this question because we have another question coming through for sushi so okay so so so yeah this is this is one of those yes and kind of questions because i think it's a true statement that you need both those skill sets um i don't think it's very different than anywhere right i think and you watch talks about security careers whether at b-sides or anywhere and somebody on stage is bound to say that you have to understand the business you're in in order to protect it um that is 100 true in health care just

like it's true in financial services or you know oil refining or anything else um i don't think most people get that experience by learning it before they get there though i learned about healthcare when i started working in healthcare and it became a bit of a crash course in healthcare and i've spent the last 10 years you know completing that crash course although it's not complete i learned i learned about healthcare every day um but i think it's i think you don't necessarily have to have it coming in you just have to realize that you're going to have to understand the business you're in no matter what that business is and you have to commit yourself to learning

about it well i also think that you know to the question so many of the healthcare organizations are really more geared toward hiring the right medical and nursing staff that you know that is their service delivery system and so most of the recruiters who are working in those organizations are doctor recruiters or physician specialties or nursing and that is a much more specialized recruiting than recruiting for security professionals and you're asking recruiters in a healthcare organization to do both physician recruiting and security recruiting at the same time so this is something that's evolving um that's i think going to be the problem when candidates who are looking for this kind of career that they have to be patient

with the recruiters to understand that the recruiters may not be as trained in security specialties as they are trained in you know determining the right neurosurgeon or the right you know physician's assistant the second question that we have for sushi is what job roles are available for people who are interested in healthcare policy but aren't necessarily lawyers and how can you find the right organization to be part of if you want to be part of healthcare privacy or policy yeah actually i i love this question because we would love more tech folks who are comfortable and um i guess i'm gonna say agile i know it's a buzz word with various technical concepts and able to actually

write or learn how to write or do research and things like that in the health policy field because honestly like as a lawyer i can learn and do a lot but i really enjoy being able to learn from someone or work with someone who knows the area um like on the ground basically and so if you're interested in doing health policy uh whether or not you have a master's degree or something like that you can look at organizations like the center for democracy and technology they used to have a great um health privacy uh project i don't know if they still have it but organizations like that they're non-profit based out of dc and they tend

to take people for fellowships they're looking for folks who are technical who want to learn how to be leaders in the space and then they'll they'll let you do your thing and connect you with the other people that are really important um within the government so you can be a policy specialist that way you can also go work with a senator or a congressperson and influence policy that way um i cannot remember his name for oh uh ron wyden has technical specialists on his staff and he's incredible when it comes to dealing with technology in congress and so if you go work with someone like that you know you're really opening your own doors into the health policy and privacy

space wonderful so another question that we have is what does the opportunity look like for security researchers in healthcare these days particularly regarding product security embedded device testing you know so mike this sounds like something more that you did at ge healthcare as far as dealing with product development and so not only what does that sort of career path look like and what would be a really great way to break into it yeah so let's start with actually there's there's actually somebody that i know who's hiring for security researchers right now in this space and that's mitch parker from indiana um he actually has just started a red teaming lab to do security research on

medical devices that come into his health system um and you're seeing more of that kind of thing i the product security orgs it's really funny it is there it's really hard to find people like i i know all the medical device manufacturers are really struggling to find people that can actually do that work and and there's a little bit of it's not really traditional security research it's kind of halfway between security research and very traditional security architecture because you have to be willing to work at the speed of medical device manufacturers you know and and so the kind of uh move fast and break things hey let's just blow things up kind of ethos doesn't usually play as well and so you

have to modulate that if you're if you want to work in that space as far as healthcare delivery actually having um security research other than mitch and maybe mayo clinic and and maybe kaiser i don't think there's anybody that's really doing a lot of that kind of work and then the other thing i would say is this company like companies like us there's a bunch of startups in the space whether in the sort of like network firewall-y kind of iot solutions like metagate or uh that list is you know 50 million things long metagate cyber mdx or zing box i'm i'm leaving out a whole bunch of them i don't want to offend anybody but

you know just all of those companies are looking for people um us at scope we're always looking for folks like that um i my friend dan dodson runs a company called fortified health security that is a an mssp that does a lot of pen test type stuff and uh and some security research out of nashville like there's companies that do this you just have to they're not the traditional security companies you got to go find us um but we're out there so on the hiring side what do you think is sort of the unconventional or hidden skill or talent that you think is important for someone to look for when they're hiring in healthcare infosec so you know when i think of this

question i think of our discussion about this topic and how it was very mission oriented um so it almost seems like i would think being able to go beyond yourself and wanting to give back because you both seem to be interested in the in the greater good or the higher purpose because we are talking about people's lives but what are some of the other existential hacker skills that people would need in healthcare security sushi um i would start with i think the ability to understand nuance and contextualize the feedback that you're giving other people who aren't in security so i want someone who can gather information and then give me like the the nitpicky details and say

hey it's maybe not a data breach because of xyz or maybe never use the word breach at all and then explore that with me as the as the council or the the privacy officer mike so i i'll i'll throw in so completely agree on all of that i'm gonna go so i'm gonna go left turn as i usually often do um and say i think one of the real so two sides but the same skill just different sides of it one is patience and the other is the willingness to be flexible because healthcare is its own business it is its own environment it's its own politics it's its own org structures it's a lot of learning for people who

came up you know if you if you ain't got an infosec degree like a lot of the things we do in our industry have barely been formed by financial services right from the structures of our sort of hypothetical orgs and a lot of the things we do in in many of our compliance standards and stuff you know it came from sock 2 or it came from some of these these very financial services kinds of ways of working healthcare works differently and if you're if you're going to walk in and and try to be dogmatic and if you're going to walk in and try and change them you're going to lose like so you have to

be patient and you have to be willing to learn that you don't actually know how healthcare works until you go learn how healthcare works well i want to interrupt and say you know something you said in your presentation was you know understanding that you can't just go in and patch a hundred million dollars worth of equipment you know we're so used to being able to go in and deploy patches or fixes or something like that and this is very similar to the defense industry you know you have to be able to in the defense industry work on technology that's maybe 15 to 20 years old because it's legacy and that's what everyone's on and you can't just change

it so i think that would be another skill is that having that angst of like why can't i just deploy this one script and fix everything yeah that's what i mean by patience right like you have to be willing to learn why why these things that are inefficient or inefficient and like defense is a really good example kathleen like if look i can't go work in defense i don't know how those people think at all i don't my brain doesn't work like that and it would take me years of learning to go work at a defense contractor right but people think they can go into healthcare and like oh well i i know that hipaa i know how to spell

hipaa so i'm good right it doesn't work like that it's there's a lot of work you have to you have to be willing to to sort of be the the uh the sort of open and uh what's the what are the zen buddhists call it the beginner's mind kind of student you have to go in and realize you don't have a clue for at least the first year and i'm i started this journey of learning healthcare in 2013 and i still don't have a clue most of the time so and that might just be me but at the same time like you know it takes a long time and there's a lot to learn it really does so um we're gonna wrap up

here sushi any final thoughts to tell people to inspire them to be part of healthcare privacy and policy and i'm gonna give you another ques different question mike um i i would love to see more people in this space so if you're interested and you have questions obviously reach out to me or mike there are a lot of people participating in b-sides las vegas who are health care oriented so uh and hipaa is spelled with one p and two y'all i i love the texas y'all in there that smells really good on y'all so mike breaking and fixing and making new products and health care how does someone bring their security mindset to that oh um so damn that's a hard one kathleen

it's hard to hard to be a wrap up question i can talk about that for an hour um so first thing i'll say actually i'll plug something um come to the biohacking village at defcon because they set up and actually this year's weird but we're still doing it but um but usually there are there are medical devices there that are eminently hackable and it's always fun to hack the new stuff that the medical device manufacturers bring um but just reach out like sushi said just reach out come talk to all of us like you know and talk to other people who are in this space i uh sushi dude who's on twitter and who's been asking questions here

has has been working in the healthcare with the healthcare stuff for a while like there's there's lots of us that that do this i mentioned mitch parker earlier you know like there are many of us out there come approach us we're nice we don't you know we don't bite fingers off when when approached and you know like just come say hi i will give whatever advice i can and if i can't help i probably have friends like the two of you and all the other cool people who are watching this that that maybe i can't introduce them to so yeah come hang out and that's the best way wonderful sushi mike thank you so much

for sharing your strategy your careers your experience and i know you've made higher ground always just a wonderful place to be so thank you and good night everyone from higher ground at b-sides las vegas take care bye-bye good night