Introduction
Today’s session will begin with Steve Cagle, who served as CEO of Clearwater since May of 2018, and recently transitioned to a board advisor role at Clearwater, following Clearwater’s acquisition by Sunstone Partners. Steve will provide a threat brief overviewing some of the key threat actors that the healthcare sector is facing, and what organizations like yours can do to take steps to mitigate risk. and protect your organization. Then Steve will guide a conversation with Tracy Tuma, the first cybersecurity business liaison at Cleveland Clinic. Tracy brings a truly unique perspective. She bridges the gap between clinicians, executives, and IT teams, helping them all speak the same language when it comes to cybersecurity. In her role at Cleveland Clinic, she’s led initiatives that reduce friction, improve efficiency, and make security part of the organization’s culture, not just that it fits a compliance checklist. In today’s fireside Chat, Steve and Tracy will explore how healthcare organizations can break down silos and foster collaboration across disciplines. Tracy will share how programs like Cleveland Clinic’s Friends of Cybersecurity Initiative are helping caregivers and leaders see security through a shared lens, one focused on protecting patients, enabling innovation, and driving operational excellence. So welcome, Steve and Tracy. It’s great to have you with us today. And with that, let’s dive in. Steve, I’ll turn it over to you first for this month’s Cyber Update.
Threat Landscape & Cyber Trends
Steve Cagle: Okay, thank you very much, Monica, and thanks to everybody for attending this briefing, which will be my final time giving this briefing. I want to thank everybody for who’s been here for many, many months, and I hope you’ll continue to attend these on a monthly basis. So, we will begin today with our usual update on reported healthcare breaches to the OCR Breach Portal. I always like to remind folks, these include all reported breaches of 500 or more individual records. Through September 30th, there were a total of 547 breaches reported this year, with 42.1 individual records involved, to the OCR breach portal, and since our last meeting, that’s an increase of 2.1 million new records, and a total of 67 new reported breaches. First, some potential good news. As many, typically know, historically, we’ve seen about 35-40% of healthcare breaches involving a business associate. However, over the last few months, we’ve actually seen this percentage trend down a bit, with only 27% of reported breaches involving a BA in September and August, versus 38% in January through July. So, I know this is only a couple months of data, but also, you know, like to look for things that are encouraging, and vendors, in particular digital health, health IT companies, we know they’ve been a source of many large breaches because, of course, they have many covered entities or other BAs. data, and especially since the Change Healthcare event last year, and some of the file transfer software breaches we’ve seen, vendors are really being held accountable to much higher standards by their customers, and they have been increasing their security investments And even using strong security as a selling point for their solution.
So perhaps there’s some good news that we’re seeing here in the data. In terms of notable breaches, I wanted to point out Goshen Medical Center, which reported the largest breach of the month last month, with 456,000 plus records. That was rumored to be a ransomware attack by B and Lian, and, you may say, hey, B and Lian, we haven’t heard their name for a while. And that’s true. This medical provider said that they first discovered suspicious activity going back to March 4th. They found, or claimed to have found that certain files were accessed in February, February 15th of 25, and then later, they produced a breach letter that said, on or about September 12th of 24, we learned that some personal health information quote-unquote, was involved. So, you know, a few things to point out here. First, obviously, the timeline is a bit, confusing, and some of the language was a bit ambiguous, in terms of. some personal health information being involved. Of course, later, you know, there was a report, eventually to OCR that occurred almost a year later than what appears to be the initial, time of the breach, of course, that requirement is that 60 days. is when the breach should be reported to, OCR, as well as publicly, and to those involved in the breach. It’ll be interesting to see how that plays out, as OCR will likely investigate that. Also. I’ve spoken a lot in these briefings just how we’re continuing to see successful cyber attacks occurring with large numbers of patient records at physician practice management groups, specialty care providers, and imaging groups, and sure enough. last month, the three next largest breaches took place at each one of those types of organizations, so Medical Associates of Brevard is a primary care group that suffered a breach of 247,000 records.
Then there was Retina Group of Florida, that’s an ophthalmology practice with approximately 152,000 records hacked, and then doctors imaging a radiology practice with 172,000 records exposed, so again, very consistent with where we’re seeing some of these attacks. Of course, we know there’s some latency here from the time that they actually occur to the time that they’re reported, but again, overall, we’re seeing very consistent trends. You can go to the next slide, please. I know this audience likes to get the latest and greatest data, especially when it’s healthcare-specific, so I wanted to share some highlights from a report by NetRix, which produced a report in early September based on a survey of 2,150 IT professionals and security professionals globally, and they zoomed in on healthcare-specific organizations. Bottom line here of the report was that healthcare continues to suffer greater losses from cyber attacks Versus other sectors, and again, this is not… You know, unfamiliar to hear that, but again, more data that supports what we’ve seen in some of the other reports.
Not surprising, first stat here, almost half of healthcare organizations had some type of security incident in 2025. The cost from these losses have increased significantly from the 2024 report. So, in 25, about 12% affirms had losses greater than $500,000 versus 6%, so double the previous year, and in addition, 4 times the number of healthcare organizations saw losses of $200,000 or more compared to 2024. And, you know, one of the main reasons for the impact, you know, being higher and the cost being higher, as we’ve been talking about, of course, is that threat actors are just becoming much more capable, they have broader reach, and they’re achieving more impactful results. And a lot of that’s being driven by artificial intelligence and their attacks. 37% of the interviewees acknowledged that and said that AI-powered cyber attacks are a key concern for them.
We’ve talked about AI. Powered attacks and other briefings, and you can go back to the archives to, to view those. But really, in summary, we are seeing cybercriminals incorporating particularly JAI models into social engineering, helping them to develop their software, helping them to even run their operations, and the overall impact of that is just, it’s higher quality of attacks, more convincing social engineering, and reducing the number of resources that they need. Of course, all that Is contributing to some of the numbers that we’re seeing here in these reports.
Latest Trends in Healthcare Ransomware Attacks
On the next slide, we can, talk. A little bit about the latest trends in ransomware attacks on healthcare since our last briefing, so really in September, we had an additional 30 U.S. healthcare organizations posted to threat actor leak sites, and if you were here last month or watched the recording, you may recall that I said there was a significant uptick in the number in August compared to previous months, and September was, fairly, consistent with what we’re seeing, here in, in, in, September and August were very consistent in terms of those numbers. The average number of attacks in August and September represent an increase of 45% of the average number of attacks from April through July of this year, so again, pretty significant increase.
Again, just a couple of months, but You know, the trend is heading in the upward direction, and as we have reported for you know, some time now. Inc. Ransom, Keelan, they continue to be the top threat actors, not… nothing new there. Continuing to be very successful in the healthcare space. Inc. Ransom had 5 attacks, and Keelan 3 last month. But, really, we’ve seen very much every month, you know, new threat actors coming into the healthcare space. And I think what was very interesting about this month’s data is that there were… there were two relatively new threat actors that actually came on the scene last month, but this month they’re in the number 2 and number 3 spot.
So Pear, tied, Inc. Ransom with 5. you know, 5 attacks, and I found 4 attacks on U.S. healthcare organizations attributed to Sanobi. Going to talk about both of those threat actors in a moment. But as always, you know, we also want to highlight some of the ones that have really appeared on the chart here for the first time. So there were 4 new ransomware gangs. that, posted healthcare data leaks that included KillSec, Obscura, Dyson, and Cloak, and Obscura and Dixon are relatively new gangs, they only have a handful. of, at least identify leaks or attacks across all industries globally. KillSec and Cloak are pretty well-established threat actors already, in the cybercriminal world. In terms of where these attacks are coming from, again, we’re seeing a lot of them coming, really at specialty providers, as I mentioned earlier, through the… what we’ve seen in the OCR breach portal data. among those, you know, we had a lot really happening at the imaging centers in previous months. We are seeing a trend now in behavioral health, and these organizations, I mean, it somewhat makes sense. They have very sensitive data, so much more likely to pay the ransom. Many of them are also pretty immature when it comes to security and risk analysis. Which then makes them an easier target, and sure enough, four of the attacks last month were specifically on behavioral health organizations.
Orthopedics have also been targeted for a long time. We had I believe 3 attacks that have occurred in that space, 3 on digital health companies, 2 each in pharma, surgical, and dental, only one on imaging centers this month, and then one attack on a hospital. Moving on to the next slide, as promised, I’ll talk a little bit about some of these newer threat actors on the top left of the chart, or left side of the chart. Sanobi had a range of attacks on different types of organizations, including Pittsburgh Gastroenterology Associates, United Pharma. Queens Center for Change, that’s a behavioral health provider, and Watsonville Community Hospital. Unclear whether that that data leak is a new attack, or related to the one that happened back in November of 25.
Synovi emerged in June of 2025, so relatively new. They’re suspected to be a rebrand of Lynx, which is a ransomware gang that first appeared in 2024. eCentire, another security firm, published a case describing the method of attack on one of its clients, where Synobi was able to compromise of vulnerability via the victim’s managed service provider. So, again, a, you know, an attack vector that we’ve talked about before through the MSP. In this case. the threat actor leveraged a compromised sonic wall SSL VPN credential, or a set of credentials that map to a very overprivileged Active Directory account that had domain admin rights, and you can probably figure out how the story goes from there. You know, we’ve talked about this many times. We do see these threat actors becoming much more effective at beating or disabling EDR and other defenses. Of course, when they are able to move laterally, create new accounts, and give themselves permission. It makes that even easier to do. But this is another case or example of a threat actor that really went after those defenses. So they had multiple attempts to disable the victim’s carbon black EDR, And eventually, they were able to uninstall it. How did they do that? Well, they discovered a deregistration code stored on a file server on the network. So, it did not even take hacking, just very simply, the victim literally left the key to uninstall and deregister their EDR software, and from there, of course, they were able to exfiltrate data using Rclone.
They were able to then deploy their ransomware, and like we see with many of the newer ransomware software, prior to encrypting the files, the ransomware deletes files in the recycle bin, they enumerate Hidden drives, they delete the volume shadow copies, and they just make it very, very difficult to recover without an immutable backup of, you know, the data and systems.
Next slide, we have, PEAR. Par stands for Pure Extraction and Ransom. That’s where that name comes from. They emerged also in June of 25. And, unlike other ransomware gangs, this is really an encrypt-first type of threat actor, they focus on data theft, they act as a data broker, they earn their money through extortion, and they sometimes extort their victims multiple times. So, in September, Pear had attacks on two orthopedic providers, Beaumont Bowman Joint and Western Orthopedics. They also had the attack on Expert MRI Imaging Center, Tri Century Eye Care, and then VerveMedis, which is an EHR provider. And then, this is not in the data because it was in October, but I wanted to mention they also had another attack on another orthopedic in October.
So overall, I think they had 3 in the past You know, a 30-day period in orthopedic organizations, firms. unfortunately, don’t have a lot of information yet on this particular threat actor, although I expect there probably will be some soon, just based on the volume of attacks, but they have been observed gaining access through a compromise of email credentials and exploitive vulnerabilities. Of course, those are Two of the top methods of, compromising or exploiting an organization. They are very efficient in collecting, archiving, exfiltrating data, of course, as you probably would imagine, considering that is really what they’re focused on, versus encryption. They do use Tor-based file server onion services. And they provide proof of their data and negotiations.
They have also, as mentioned before, gone as far as triple extortion. For some organizations, and they will, and they have, provided the data, leaked the data, you know, for free if they… if they can’t get money for it, or if they can’t resell it, so the data is you know, they are going to call their… you know, they’re going to call the bluff and eventually, you know, leak the data if they’re not paid. Two new threat actors, again, very focused on on healthcare that, you know, we need to be aware of. We’ll come back to some recommendations, as always, later in the presentation.
The next slide, I wanted to provide an update on scattered spiders. So this has been a frequently featured threat actor on our briefings. They’re not a ransomware gang per se, but one of the most successful and effective groups at leveraging AI-based social engineering to gain access to large corporate networks. Highly effective, highly impactful attacks, hundreds of members, and, all over the world, and, they have, they, they then, you know, partner with, ransomware gangs use a variety of different ransomware as part of their attacks. So if you’ve tuned in last month, you know that Most recently, Scattered Spider had been behind the attacks on Oracle Cloud, as well as the Salesforce. There were two different campaigns there. They were involved with some of that as well, and they also announced, last month, or maybe a little bit more than last month, that they combined forces with other threat actors, including Lapsus and Shiny Hunters. and created a new group known as Scattered Lapses Hunters, and since then, they’ve been collaborating together and conducting attacks against Salesforce customers, and they’ve been doing this very… successfully, and if you pay attention to this type of news, there’s been a lot of news on this group over the last several weeks.
It’s been about 5 weeks since our last briefing, so a lot… I’ll try to summarize here, briefly. But, they had launched a massive cyber attack that brought down Jaguar Land Rover. That’s been all over the news. That happened back in September. In September, you know, they shut down facilities. I believe they are just resuming production this week. Losses, they projected to be over $1.5 billion, which is probably low. These numbers usually go up, once all the dust settles. And, you know, at the same time all this has been going on. there have been several arrests, you know, of Scattered Spider members, and if you go back to earlier this year and throughout this year, law enforcement has really put a lot of attention on this group. So in August, Noah Michael Urban, which is a scattered Spider operative, he was sentenced to 10 years in federal prison. ordered to pay $13 million in restitution. Then in September, prosecutors in the UK charged two Scattered Spider members, ages 18 and 19. We’ve talked about these are really teenagers, a lot of them. They extorted at least $115 million in ransomware payments from companies victimized by, by their group, and then U.S. prosecutors then charged the 19-year-old, Thala Joubert, who’s a UK citizen, a resident. with the 23 hacks of MGM and Caesars Entertainment. So, you know, there’s been a lot of law enforcement activity, and they’ve been, of course, attracting a lot of attention to themselves, so I think all this heat, and the fact that they created this new cartel. Led them several weeks ago to publish a letter stating that their group, which names at least 8 separate threat actors, by the way, and says there’s more. that letter says they’re going dark.
And the letter’s really an interesting read. If you have a moment, you can click the link later to read it, but they make reference to the members that were arrested, provide condolences to the families. state of the investigations are going to fall apart, and then also insinuate there’s some breaches of major airlines that have not yet been announced. So, most people took this as a smoke screen. This is not real. They’re not really just, you know. gonna go silently out, you know, into the night. And sure enough, on October 5th, Scattered Lapses Hunters posted a blog, a post, stating they’re responsible for a breach in September involving a GitLab server used by Red Hat that contained more than 28,000 code repositories. They claim to have client secrets, such as access tokens, Git tokens, client infrastructure details, and then separately, and this is a developing story, Discord has started emailing users affected by another breach claimed by Shiny Hunters. And a story came out yesterday, that claims that they claim to have stolen about 5.5 million unique user, user, information from the company’s Zendesk support system, including government IDs. Discord is claiming that was a Zendesk breach. The threat actors were interviewed by Bleeping Computer, and they said that’s not true. They were able to compromise vulnerabilities of a third-party business process outsourcing group.
Bottom line here is, you know, these guys are not going away. They are continuing to be very, very active, and if you look at the group that they’ve put together, it’s very much like a DC Comics Legion of Doom. So they are folks that we have to really continue to be aware of, despite some of the You know, things that we’re seeing in the news, they’re not… I don’t think they’re going away, and very likely, you know, thankfully we haven’t seen too much of them in healthcare, but we know that the techniques that they’re using are also being used by other threat actors, and they are going after critical infrastructure.
On the next slide. Wanted to provide an update on Lockbit, which is another threat actor that, you know, we haven’t heard much about recently, but at one point, they were the most dominant ransomware gang globally across all sectors, and this group at one point had targeted 2,500 victims with more than $500 million in ransomware payments. A lot of sparring with law enforcement. Lockbit’s leadership was ultimately taken down in Operation Kronos in early 2024. Its creator, Rostislav Podov, was arrested in Israel in August of 24, then extradited to the U.S. in March of this year. He’s now being charged, and despite all that, Lockbit has resurfaced in September 25 in honor of its 6th anniversary with the release of Lockbit 5.0, and this is the newest iteration of their ransomware. It has been observed already in the wild, and It really represents a very significant evolution in the ransomware-as-a-service model. It combines cross-platform capabilities with advanced evasion techniques that complicate detection and frustrate forensic investigation. This led to HISAC posting a threat alert on October 1st, and, you know, significant features here, really, is the cross-platform attack infrastructure.
It offers Windows, Linux, and then also a dedicated VMware ESXi binary that enables, simultaneous tracks across different, infrastructure and platforms in the organizations, and really just, enables the, threat actors to operators to be much more effective. In particular, with the ESXi hosts, they can compromise that, and that will result in, you know, dozens or hundreds of encrypted virtual machines, really just, again, magnifying the impact here. The new version also has heavy obfuscation, more user-friendly interface, it has, customization options, and again, very similar to what we’ve seen with the, Scattered Spider and Shiny Hunters and Lapsys, they formed a coalition with Dragonforce and Keelan, and you know, a lot of folks said, hey, how’s Lockwood gonna get credibility? Because when they disbanded, you know, they lost their affiliate network. Their affiliate network eventually went to, ransom. Hub, Ransom Hub went away, the affiliate network went to Keelan. Okay, Lockbit has now formed a coalition with Keelan. So, Lockbit is bringing more advanced, software, Keelan’s bringing the affiliate network, Dragonforce, also is bringing capabilities, and here you have a very potentially very strong, partnership here. And again, these are, organiz… these are threat actors that have specifically targeted targeted, healthcare, so we want to be aware of that threat bulletin and definitely refer to the recommendations and the IOCs there. Regarding, OCR enforcement, on the next slide, please.
OCR Enforcement Update
One update, last month, OCR enforced, or really had a settlement, I should say, as a result of HIPAA enforcement action with Acadia Healthcare Facilities. That’s a rehabilitation skilled nursing healthcare provider, not related to a cyber attack or ransomware, but rather an investigation that was initiated after a complaint was received by OCR. Alleging that Kadia had impermissibly disclosed a patient’s name, photograph, information pertaining to their conditions, their treatment, and their recovery in the form of a success story. So they… posted a success story about a patient with, allegedly without their permission. OCR investigated, confirmed that, indeed, there was not a valid written HIPAA authorization form from the patient, and that sparked an investigation into all the other success stories, and sure enough. there were no HIPAA authorizations, and as a result of that, CADIA was found to have impermissibly disclosed PHI, not had have… did not have the appropriate administrative, technical, physical safeguards in place, and also failed to provide breach notification to the affected individuals, so they will be paying a $182,000 settlement to OCR and embarking on a two-year corrective action plan.
Good reminder here of the importance of having very… having the appropriate policies and procedures in place. As well as periodically assessing compliance with those policies and procedures. We need to make sure they’re in alignment with HIPAA, and of course, that they are being followed.
Recommendations
And then wrapping up the briefing on the next slide with recommendations that are relevant to the topics discussed today. You know, again, we’ve talked about this in the past, we know that exploits of remote access tools have been a source of numerous attacks in healthcare, enabling threat actors to gain unauthorized access to a victim’s computer or network. We’ve seen this, again, with NSPs in particular, quite a bit lately. We want to make sure that we restrict remote access to only those users who absolutely need it, and also monitor those sessions, watch them very closely, detect suspicious activity, off hours, different geolocations, and so on. We talked today about PAIR, which is really very good at data scraping, archiving, and exfiltrating using Tor Onion services. So again, these are things we want to monitor for, whether these services are being called, any suspicious archiving is happening. or other types of activities. We also talked about AI being used in social engineering attacks for more convincing campaigns, allowing threat actors to operate at scale. And again, we have to train our workforce and what to look for, right? These are very, very convincing social engineering attempts, phishing, smishing, as well as phishing, and it requires constant updates to security awareness programs. We’ve had many attacks, including, you know, ones we talked about today that came down to bad bad cyber hygiene, you know, leaving a deregistration key on a server, you know, being able to uninstall the EDR software.
So, you know, we need to have, of course, good assurances that we’re putting the appropriate baseline controls and harding in place. We want to make sure that we avoid accounts being compromised. We want to have phishing-resistant MFA in place, of course, making sure that’s in place for any type of external-facing application, but also internal high-value applications. There’s no way to guarantee that MFA is going to, to work. Many don’t have phishing-resistant MFA, so we have to have the time… take the time to put in place, You know, policies, as to tighten privileged access account management, to ensure, least privilege, and make sure that we’re not, you know, that we are using strong passwords, keys, and tokens.
Lockbit 5.0, you know, again, we want to specifically protect our VM ESXi virtualization layers, patch and harden, restrict administrative access to hosts, restrict management interfaces to trusted networks. Again, a lot of that is in that, HISAC briefing. And, you know, very important to have the latest threat intelligence. Again, these briefings, you see that every month there’s something new. There are trends, but there’s always new IOCs. You know, do you have the threat intel, and most importantly, can you take that threat intel and actually action it, and make sure that you’re using it to do threat hunting, or to put new controls in place to mitigate potential risks in in what we’re seeing in threat actors’ tactics and techniques. We have to assume a threat actor is going to compromise some part of our environment. We want to make sure, of course, that if they do that, they cannot move laterally. That means having network segmentation, micro-segmentation in place. And, and also, again, making sure that we can restore, restore our systems if there is. a need to take down our systems, or if we do have encryption due to ransomware, are we able to restore from immutable backups?
And lastly, really just very critical to make sure your risk analysis is an ongoing, living, breathing process. We know that the attack, you know, attacks are coming with different techniques, we have new vulnerabilities all the time, and what was sufficient today may not necessarily be sufficient tomorrow, especially if you’re in a part of the healthcare segment that is being even more highly targeted. So think about those behavioral health centers and orthopedic organizations, right? The risk is increasing because the likelihood is increasing that you’re going to be attacked. The techniques are becoming much more effective. The controls that you have in place need to be re-evaluated to determine whether additional controls should be put in place, so… I want to leave you with all that. I hope that’s helpful, and we’ll, we’ll move on now to our fireside chat.
Very excited to speak with Tracy today. Great to have you here, and looking forward, to our… our conversation today. Tracy, I want to, start with… Maybe just an opening question for you, which is related specifically to your role, so you can… help us to better understand what you’re doing for Cleveland Clinic, but we know this is a pretty unique role, cybersecurity business liaison. Love to know what the catalyst for that, you know, decision was to create that role, and how does it differ from a traditional security leadership position?
Fireside Chat: Building Bridges Between Security and Clinicians
Tracey Touma: Thank you so much for having me today, Steve. I really appreciate being here. What started out an identity, I was at Akron General, I was an acquisition for Cleveland Clinic, and we were very successful in our deployment of a tap-and-go deployment of enterprise-wide, where Cleveland Clinic is much larger, having struggles, and really, what was the secret sauce that made Akron General : was very successful, while Cleveland Clinic was struggling. And what we figured out, the secret sauce is communication with the actual clinicians. Explaining the why we’re having this new technology, why are we changing the workflows, how is it going to benefit them, and what is it in for them? How can they succeed and give better patient care? The clinicians, at the end of the day, just want to provide good patient care.
That’s it. That’s their whole focus. And if you can describe to them why you have to have cybersecurity, they understand about breaches. They understand all about the risk. But how can we continue to take care of patients effectively while also being secure? And that’s where this role was created, to bridge those gaps and explain the why, also give them a voice. Say, okay, you’re adding 12 new clicks to me. How is that going to make my job any more efficient? How can we make it better? And when they had a voice, then we were going back to the table and looking. They’re right. We’re not adding any more efficiency, we’re actually hurting the workflow. How can we just do a badge tap instead of those 12 characters? And when we work together and partner, that’s how we succeed with patient care.
Steve Cagle: Yeah, I think that says a lot about the culture and the approach that you have at the Cleveland Clinic, that you created this dedicated position to really make sure that’s a focus, and really communicate to the organization the importance of that partnership. Let me turn here to innovation versus security, and you touched on that a bit. You said, I know you said in the past that automation and artificial intelligence are pretty obvious solutions to clinician burnout, but They also come with high risk if they’re not vetted appropriately. How do you balance innovation and speed with the need to have those rigorous security controls in place?
Tracey Touma: We want to be very careful when we put in AI or automation. It’s like the shiny new little diamond that we want to see, and everybody’s like, oh, this is the answer, this is the answer. But is it really? It’s expensive, and what does the value bring, and is it really enhancing patient care? At the Cleveland Clinic, we are very innovative. We rely on research a lot to help better patient outcomes. So, absolutely, we sometimes need to take our research and segment it off so that it’s more secure space and it’s not affecting the other data. There are things that we can do to make sure that we have the security in place to make sure innovation will happen at the rate it needs to, but also not being a risk for the organization or the patients.
Steve Cagle: Yeah, and I know… So many organizations are… are really… working through that now, right? Trying to understand that balance, and it’s a, you know, it’s new ground for a lot of us, but certainly very important to have that balance in place. I know one of the things that you’ve created at, at the clinic is the Friends of Cybersecurity program. Could you walk us through that and, the steps that you take to… to make sure that You’re creating guardrails without stifling innovation, and what advice would you give to chief information security officers who want to replicate that program?
Tracey Touma: Absolutely. The Friends of Cybersecurity program is a quarterly program that we conduct. Very similar to your briefing here, we give threat intelligence, we also give call to actions, and we give major project updates to our clinical informatics, our pharmacy, our labs, all of our specialty cares, as well as, other key stakeholders to make sure that they’re aware. It’s an opportunity for us to give a voice to what’s happening, but also to give them a chance to give us a feedback. The reason we call it Friends, I was part of many champion programs. And I was in IT for many, many years at Akron General, and I was part of the Cybersecurity Champions program. But all they ever did was delegate. They never let me have a voice and say, this is wrong, or this isn’t gonna work, or this workflow doesn’t help me, but here we give a voice. It’s very important at the Cleveland Clinic that we give a voice to all caregivers, including each partner. Whether we’re cybersecurity, informatics, we all come together at the table to find the best solution for the best patient outcomes.
Steve Cagle: That’s… That’s great advice. I mean, not just letting people, you know. be informed, but really giving them the opportunity to make a difference in how you’re moving forward with your program. Let’s turn to, you know, education, and really… Helping to inform the organization about real-world impacts of cyber incidents. When you share that. that type of information with executives and clinicians. I’d love to know from your perspective, what do you think resonates the most with them? Is it the operational disruption that could come? Is it the patient care delay? Is it the financial hit? What are the things that really Resonate with those leaders when you’re doing those briefings.
Tracey Touma: I think that all of those operational disruptions, patient care delays, and the financial hit are very important, but at the end of the day, it’s patient experience. There’s an expectation when you come to the Cleveland Clinic that you’re getting the best care possible. If we fall short of that because the patient experience has a IT outage, then that’s top of mind. Because it’s our brand, it’s our trust with our patients, all of that is so interwoven in all that we do. We take care of the sick of the sick. And when you have family members coming to the organization, and we have an outage, It’s… It breaks that trust. And so it’s very important that we make sure we maintain the systems. And if we do have an outage, how fast can we recover? Exactly, to your point earlier.
Steve Cagle: Yeah, it’s really linking the impact to the impact of the mission, and I think… I think many organizations, I think, unfortunately, they’ve had some sort of security incident, or they’ve had a partner that’s had it, so maybe it’s a bit, you know, it’s hitting home a bit more. But it’s… it’s easy to forget as well. And I think having that constant reminder and linking it to what folks are doing every day really makes it hit home as to why it’s so important. You know, I know beyond having that voice, I think you’ve even gone a step further in just creating these partnerships, I would say, with clinicians and other parts or other functions in the organization. You’ve gone as far as actually shadowing the clinicians and running multidisciplinary forums. Can you share an example of some of that feed… or any of that feedback that you’ve had, and how that feedback Specifically changed how a security solution was designed or rolled out.
Tracey Touma: Absolutely. We were in the process of installing our badge-in, badge-out process, where you would take your badge and tap in to get into the computer systems. We had pushed it across, and we were trying to be vanilla, and not have too many different customizations, because as we know, the better to keep standards and procedures, and it happens the same way everywhere, is the best practice. However, inpatient is different than outpatient. And so I was sent to an outpatient clinic. : a seven-story building, at the Cleveland Clinic that has different specialties on each floor. And as we were going through, I was instructed by my cybersecurity leadership, you have a notebook and a pen.
And you don’t have a mouth. You just write, take notes, and you watch, and just for 8 hours. You follow them the entire day, the clinicians around. And what we found out of that research, basically, is what I call it. We figured out there was some… saturation in the network, so there was access points that were a problem. There were some configuration at the PC level that they didn’t get the right updates, so they weren’t having the right experience they should be on the network. As well as, there were some also protocols that weren’t being followed. So there was a whole nest of things that needed to be changed. : But along with that, the whole workflow wasn’t working. Because in an outpatient setting, a clinician comes in and rooms the patient. the next person comes in and taps to get into Epic, and it would… they’d have to search for that patient. But there’s a way to configure the system where you can keep that outcome… that : occurrence up, and the person taps in, becomes that person, they can put their care notes in, and we’ve just streamlined it, where they don’t have to search for that patient. It also takes a lot of the, quality issues, if there’s a patient being charted on the wrong account. It was very easy to do that. But now, if you come back up, the same occurrence is there in the room. : A lot of those errors go away.
Steve Cagle: And it’s nothing against the clinicians, they are busy trying to take care of patients.
Tracey Touma: But it’s very important that as informatics and cybersecurity professionals, we go out and see what it looks like for them. Yesterday, I want to just give an example. I had the opportunity to follow a patient this time, the whole way through a chemo session. How, when she went to lab, went to see the physician, and then went and did the lab, and where there were delays, and how we can make improvements to the process. It’s very important that we just always keep the patient forefront, as well as the caregivers providing the patient care. There are things we can all partner together to make it better.
Steve Cagle: Wow, excellent. Well, well said. That’s some great, great learnings there, great example. Security leaders are very often, Tracy, they’re… tied to business risk. You know, I think they… they understand that, especially today. But, you know, it only works if, the business leaders also understand the, you know, the security aspects, and, you know, what… what exact steps, would you recommend to CISOs So that they can really learn the business lens while, you know, similarly, what would you recommend to business leaders to get smarter about cybersecurity? How can each side, you know, kind of be more effective in understanding each perspective?
Tracey Touma: I think it’s really important that we take a step back for the business leaders, first of all, to help them understand cybersecurity risk. My usual example is, you have a 16-year-old in your home, learning to drive for the first time, and your insurance goes through the roof. Used to be, like, $100 extra a month. And I was like, huh. Today, it’s probably higher than that. So cybersecurity risk is expensive, but if we can do education around… and there are things we can do to get that number to come down. Our disaster recovery tests, our education for our caregivers.
So we make sure that we are all speaking the same language and understand how can we reduce the risk. It’s really important to do tabletopic exercises with executives, so they understand what’s the possibility, what happens if we lose this business service? When change happened, we learned that pharmacy and billing couldn’t happen. How can we recover from that?
Are there other services that are Tier 1 that are important? Are we ready to be able to take care of patients without that service? And what does it look like? We have to start having those conversations. Because as we know today, it is not if, it is absolutely when, it’s going to hit all of us. So how are we going to be able to make sure the patients aren’t affected?
Steve Cagle: Absolutely. Absolutely, that makes perfect sense. Let’s talk a little bit about measuring trust and adoption. You… Implemented a single sign-on project that you, where you tied success to reduced IT service desk calls. So that was really the measure there, as well as improved caregiver satisfaction. So those are great, great metrics to use to understand the success of a program. In a similar vein, should CISOs be measuring security programs in terms of caregiver experience? And if so, what type of KPIs would you recommend that they track?
Tracey Touma: I think it’s really important that They measure pajama time for sure, because we’re using AI to do documentation now. So as we’re implementing AI, are we getting that metric down for pajama time and documentation? Are they still missing dinner with their families? Are we able to showcase that measurement? But beyond that, are we able to : roll out and get engagement. So, I really value Friends of Cybersecurity, and I measure, am I getting engagement on the projects that we need them to engage in? So, for example, we went from an 8-character password to a 12-character password. We were able to do 80,000 plus Accounts within 6 months’ time frame, which is basically unheard of. : But we had engagement, we had articles, we had road shows where we would go and explain to them why we needed to go to 12 character. And the importance of the cybersecurity control, that that would alleviate us. So, making sure engagement is able to happen with large projects, and they understand the why, and they’re able to engage quickly, is also a measurement.
Steve Cagle: Yeah, absolutely. I think those KPIs are really a sign of a mature organization, and certainly you know, implementing them, I think, demonstrates, you know, accountability, as well as value, creation, and really points to ways that, security is, is, is, you know, kind of following the same way of measuring success, as you would see in other parts of the business that are held to those KPIs, beyond the security and the technical KPIs, right, the business KPIs. So, you know, if a CISO wanted to launch a partnership model like yours tomorrow. What would… what would you recommend as the very first step that they should take, and what pitfalls should they watch out for along the way?
Tracey Touma: I am absolutely certain that every CISO has a Champions program. I would just rename it, possibly, but I would make sure they understood the purpose of being a friend. A friend is loyal, a friend will help you, they’ll tell you the good, bad, and ugly, and they will give you the feedback you need. Feedback is so important, and having the ability to understand and internalize it. You don’t have to prove everything. When I first started, I wanted to prove, hey, cyber’s really here for you. It’s not about proving that, it’s about giving them the opportunity to have their voice heard and understand their pain points. And then respond, okay, I’m hearing what you say, this is how I want to help you, is this reaching you in the right place? And making sure that the clinical informatics, the Project management office, your business relationship managers, they’re all involved, because it’s everybody. It takes a village to take care of a patient behind the scenes, and we’re all in it together, and making sure that we have one vision. Patients first is our vision, but everyone, whatever your mission is, make sure they understand the mission.
Steve Cagle: Yeah. And it’s having that. we call it co-creation process, right? It’s making sure everybody’s fingerprints are, you know, on the program, just to make sure they have that ownership, and And really, ultimately, you want those folks to be champions and carry that message out to the rest of the organization, so I think that’s really great advice. Well, just in, I guess, wrapping up our discussion, and if you have any questions from our audience today, we can take them. You know, at the end of the day, how do you connect the dots so that both caregivers and business leaders See cybersecurity not as a roadblock, but really as a driver of resilience and better patient care.
Tracey Touma: I think it’s really important that they see us out shadowing, that we’re in the trenches with them, that we are here… we’re not here to prove that cybersecurity is needed, and that we are not a cost center, or that we’re part of a bigger problem or a solution. We’re here for patients, patients first, and we’re here to partner and bridge that gap. And that you have a voice. Please speak up. Please tell us where we can improve, and where we can help you, and what are your pain points? Is it a workflow that we can make better for you? We really want to make sure that they understand the why, but we also want to also give back. That has to be a warm handshake, and that we know that we’re in it together. And that’s really important.
Steve Cagle: Absolutely. Couldn’t agree more. It’s great, great advice, and really want to thank you for those insights, and I… I think there’s a lot of great recommendations that, folks can take back in action from this conversation, so… so thank you very much.
Tracey Touma: : Thank you.
Steve Cagle: Okay, so a question on that note, Tracy, I think this one’s for… for you. When you’re… It’s a great question. When you’re talking about, implementing security controls to protect the organization? Do you talk about protecting employees as well as patients?
Tracey Touma: Correct, yes, absolutely, because… As we know today. Most hospitals have been hit with impersonation at the service desk. We all know that. So, we absolutely do talk about the caregivers and protecting their data, especially their work… their workday data, so their payroll. We know that those actors are after money, not so much ransomware, that are going into Workday and changing banking information. So we’re absolutely… that’s why we went to 12 character. To protect them as well. Not just the patient data, but their work paycheck. Because we were seeing that that was happening across the nation.
Steve Cagle:Yes. Yeah, there was… there… there was actually a news report, and I can’t recall who it was, but there were… there were 20 employees of a hospital that had their, well, there were more that had their information stolen, but there were 20 that, had, tax returns, filed with refunds filed going to different addresses, and I think the IRS flagged a lot of them, or maybe all of them. But, you know, that… that was a direct impact on the employees of the organization. So it’s really important that, yeah, we’re looking out for really any type of Sensitive data that we’re protecting, or constituent that we’re protecting, so really appreciate that. that question.
There’s a question about incorporating ransomware and pair, I guess, a ransomware actor, into an organization’s IR policy and plan. Yeah, certainly, that’s probably how to do that, that’s probably a long answer, but, you know, certainly a We look at incident response, that’s one type of incident, would be a ransomware attack, and the playbook might be a… it’s probably going to be a little bit different for, for a different type of incident. So, there’s… there’s numerous references and NIST that we can use to ensure that we’re, you know, we’re addressing those particular types of scenarios, and really what I think is very important is, how we’re… we’re testing those incident response plans and working through those scenarios, because Different types of scenarios, might require different types of actions, different decisions, different people, different time, in terms of making those decisions, third-party partners, and so on and so forth, and making sure that we’re not only having plans in place, but exercising those plans, testing those plans, and exercising those plans. And when you exercise those plans, typically you find things that you’re missing, or things that are changing, and then you have the newer, you know, the newer types of attack. Methods that you have to update your plans for, potentially, as well, that might, you know. might… some of these might cause you to, you know, think about things a little bit differently.
But certainly, you know, ransomware is probably one of the top, top threats, to organizations, specifically their IT systems and data, and we need to make sure they’re incorporated into those policies and plans. So thanks for that question, and I think that probably brings us to time, so I want to hand it back over to Monica. Again, thank you so much to Tracy. It was a great discussion, and really appreciate you being here today and giving us your time.
Tracey Touma: Thank you so much for having me.