Identify K 18 Small White Pill for Patient Safety

HIStalk Interviews Steve Cagle, Board Advisor, Clearwater

Steve Cagle, MBA was CEO of Clearwater at the time of this interview. He transitioned to board advisor on September 30.

Tell me about yourself and the company.

Clearwater is a healthcare-focused solutions firm that provides cybersecurity compliance and managed security services to hospitals, health systems, physician practice management groups, digital health, and health IT companies. Really all types of organizations in the healthcare ecosystem. We help those organizations to be more secure, be more compliant, and be more resilient so that they can achieve their missions.

I’ve been CEO of Clearwater since May 2018. My background is in healthcare. I started my career in a software company that provided quality management software to help pharmaceutical companies comply with FDA regulations, such as good manufacturing practices. I then spent some time in the pharma industry in consumer healthcare products, running a business before returning back to technology and compliance here at Clearwater.

How do health systems decide how much effort and money to invest in cybersecurity?

Unfortunately in healthcare, most organizations have been historically underinvested in cybersecurity. However, we have seen over the last five years or so an increased focus, especially following the pandemic, when we saw a wave of ransomware attacks on healthcare organizations. Then we had the Change Healthcare incident a year and a half ago, which affected about 70% of the providers and caused very extensive damage.

As healthcare organizations have continued to adopt new technology, technology has become critical to operating their businesses or providing care to patients. They have realized that cybersecurity mission critical and requires them to have the appropriate protections in place to reduce risks.

That’s really the key word. It’s about understanding your organization’s risks beyond the high level. A lot of organizations have done high-level risk assessments. They may be helpful as a starting point. But we need to go much deeper in today’s environment, where attack techniques have evolved to become difficult to defend and protect against.

Organizations have had significant impacts from ransomware attacks and breaches. That’s why the Office for Civil Rights of HHS, which enforces HIPAA regulations, has been focused on risk analysis and their risk analysis initiative. Risk analysis in healthcare requires that organizations understand where they have electronic protected health information, where they have those critical systems that support their operations or are connected to those systems with EPHI, and that they evaluate the vulnerabilities and threats, assess the controls that are in place, and determine the level of risk that exists with each system.

By doing that, organizations will be better informed as to where those high risks are. Based on their risk threshold, they can then identify those risks that fall above that threshold and put specific risk remediation or risk management plans in place to address those risks.

That’s a business-focused way of approaching cybersecurity. It’s not checking boxes. It’s not trying to have the best security program in the world. It’s really understanding your risk at a level that is appropriate. Then, taking actions to bring those risks to an acceptable level.

What were the most important lessons learned from the Change Healthcare incident?

Risk analysis. Clearly there’s been a lot of uptick in organizations really understanding, “I need to get to that next level. I’ve been doing the same type of assessment for many years. I’m going to invest more money into doing that risk analysis so that I can have better information about my security program.“

We’re seeing a lot of attention on cybersecurity and risk from the board of directors and the executive teams. From a cultural perspective, there has been a change in healthcare where this has become a priority that organizations need to focus on.

We’ve seen big changes in resiliency, where organizations have plans in place to not only respond to a security incident, but also to contain it to operate under duress through a business continuity plan. Having updated disaster recovery plans and testing those to make sure that they are effective.

As we look at all the solutions out there that are based on artificial intelligence, we have new concerns. There was a big rush to implement a lot of these new technologies that are based on AI. Unfortunately, many organizations did not take the time to establish policies and procedures about how they will use them and to assess the risks around these technologies.

It is still risk analysis, but it’s a different set of risks and different set of controls. We are seeing a lot of interest from our clients in helping them to establish governance around artificial intelligence, cybersecurity, and privacy, or to assess their risks of those programs and to help make sure that they are implementing these technologies in a responsible way.

The mainstream press loves headlines about the devastating impact to patients of a local provider that has gone down from a cyberattack. How much do we not hear about providers who are successful in preventing that kind of attack?

That’s a very important point that you’re making. We hear about the bad news, but we don’t hear about the good things that are happening.