DHiC 06 – Digital Health Cybersecurity a Global Partnership – v1

Mikki Smith: When I speak to groups that are like, why, you know, what do we have to worry about now with AI and cyber security? It’s the same thing you had to worry about before.

Katie Bryski: Hello and welcome to Digital Health in Canada, the Digital Health Canada podcast. I’m Katie Bryski, and I am a podcaster turned digital health professional.

Shelagh Maloney: And I’m Shelagh Maloney. I’m a digital health professional turned podcaster.

Katie Bryski: Now when data saves lives, cyber security doesn’t only protect systems, it protects patients.

In this episode, we explore a remarkable international collaboration to advance cyber security and digital health, and learn how health professionals can empower themselves to stay cyber safe. Digital Health in Canada goes international as we speak to two of the co-chairs of the Global Digital Health Partnership’s Cybersecurity work stream.

Welcome to the podcast, Mikki Smith, Chief Information Security Officer at the Office of the Assistant Secretary for Technology Policy in the United States. And Fuller Yu, Chief of IT Operations and Cybersecurity from the Hong Kong Hospital Authority. Welcome to you both. Thank you for joining us.

Fuller Yu: Thank you, Katie.

Katie Bryski: Let’s jump right in.

Shelagh Maloney: I think one of the things that many of our podcast guests have very circuitous routes to how they got to their current role. So I’m wondering if you can maybe introduce yourself and how you got to be where you are in your position.

Katie Bryski: And let’s have Mikki, then Fuller.

Mikki Smith: Sure.

Sure. So thank you so much. I support cyber security at the Office of the Assistant Secretary for Technology Policy slash Office of the National Coordinator for Health IT as Katie introduced. And I’ve been here for, I would say, almost nine years helping to implement cybersecurity practices in the overall mission of ONC, which is to foster the use and adoption of health information technology.

To establish standards for our health sector that help facilitate interoperability of health systems and networks, and also make sure that patient data is exchanged securely and privately, and it’s available to patients whenever and wherever they need it. So I’ve been doing that here. Like I said, for about nine years, previous to that, my background was primarily supporting our department of defense cybersecurity.

And that was for their military health systems. So just as our private sector has a health sector ecosystem, our, military and department of defense – those agencies that support the war fighter or, you know, our active duty troops – also have health systems. So those health systems are a closed ecosystem for now, and they are to support the military’s active duty, military personnel.

And when I started that many, many years ago, it was largely regulated, right? I came from a largely regulated environment for cybersecurity because It is Department of Defense, and everything that they do is heavily regulated. So, implementing security there, when security started becoming like, you know, a big thing, kind of bubbling up to the visibility that it is now, at that time, they wanted to make sure that the military health systems were secure, they had appropriate controls, meaning security controls, to help protect the data.

In particular, this is critical because of course, this is the health data of our war fighters. So that is data that we want to make sure is secure, doesn’t pose any risk of unidentified access or unauthorized access and unauthorized modification. And making sure that they were always available, right?

That a big thing in terms of security. And one of the things that happened and it makes a whole lot of sense today, is that our private health sector environment was not even aware or had the technical expertise to implement cyber security. But as the federal government started to have a keener look into what these requirements would mean for the sector they needed to reach out and find health experts, but addition to that cyber security experts and surprisingly, it’s a, it’s a bit of a unicorn, right? You might have cyber security experts, but you know, they’re not very familiar with health information systems, ecosystems, and you might have health IT people have no idea what cyber security is.

So I was, I don’t know, fortunate, I’ll say, to sort of be that unicorn, right, to have some of that health knowledge and the concerns of health information systems from my DOD experience, but also be a cybersecurity practitioner and have been able to sort of leverage my expertise to help ONC foster a lot of the initiatives that they have going forward.

As an organization, for example, creating rules that help govern and make sure that patient data isn’t subject to information blocking, establishing standards across the board, like FHIR standards for interoperability, that is allowing health systems to communicate across different organization and provider communities.

As well as establishing a trusted framework for the exchange of health data. The trusted framework being a network of providers that agree to a certain standard for connecting with each other and also exchanging data. It’s challenging, of course, as we all know here. But it’s also been very enriching as the health sector evolves in the U.S.

Understanding that cyber security is important. And as Katie introduced, it also impacts patient safety. And it can save lives. So that’s sort of the evolution of how I got to where I am today in a really small summation, but that is definitely an important role here for the department. They’ve taken a renewed and more robust.stance to help the sector move the needle on their adoption of best practices for cybersecurity.

Fuller Yu: Let me just introduce myself. Hello, everyone, it’s my honor to share my, my storywith you. So I have, uh, around 25 years’ experience in IT management, cybersecurity, and risk, mostly in the global financial service.

And for six years, I was in the healthcaresectors. So my role is now Chief of IT operations. I also covering the cybersecurity for the hospital authority here in Hong Kong. We are the authority to operate the 43 public hospital, as well as more than a hundred clinics serving the majority citizens in Hong Kong.

We are also the largest healthcare provider to Hong Kong. So my role is really to help our authorities to implement the digital transformation journey. As we are focusing on the smart care, smart hospital, smart staff. So my role is to help on this journey and make sure our digital transformation will have a secure and reliable products and services delivered to our patients.

As Mikki also mentioned, one of our key focus is the patient safety. And we also make sure we have good reliable services to our patients as well as to our citizens. So, before I joined Hospital Authority, my role is more on the private sector, on the financial sector. So I had several cybersecurity roles, in JP Morgan Chase, Credit Suisse, uh, AI insurance goods.

Besides which, I’m also the co-chair of GDHP Cyber Security work stream. Locally, I’m also an ex co member of a cyber expert group for the Hong Kong Computer Societies. And I also sitting in the circle, um, box for the education site to help to increase the cyber talents in the city.

Mikki mentioned about the patient safety. We are also a very prime target of the, uh, cyber attacks, because we have a lot of healthcare data and also our maturity level is not necessarily as high as other industries like the financial sector. So I think we are a really prime target and I think it’s really everyone’s job to really raise our cybersecurity maturity level in a more collaborative manner, not only with ourselves, but with everyone’s goal.

Katie Bryski: Fuller, I want to pick up a little bit on what you just said about being a target. This podcast will release during Cybersecurity Awareness Month here in Canada, but even looking at the news, you know, there’s been a lot of really high profile incidents involving health data and cybersecurity and breaches.

What is it about healthcare organizations that makes them an attractive target for cyber criminals?

Fuller Yu: I think we can look into several aspects. The first aspect I think is the data value and the data volume. As we know that the data is really a new asset. And in the healthcare sectors, I think probably we have the most valuable data, including the personal information and also your health records.

And if you look into this information of the data, if compared to the banking industries, if your credit card data is beached, the banks can get a new credit card number for you, a new card with a new number for you. However, if a hospital’s got a data breach with your data, the hospital cannot replace your medical data because the medical data is with you for the whole life.

So I think in terms of the data value, this is one aspect why we become a very attractive target. Secondly, I think is the capacities of  the IT and system side. In the healthcare settings we have so many systems, so many interconnections, and also we involve a lot of data in the daily healthcare services.

So if you look at that, say we do lots of both the latest technologies, plus the legacy system, and then that they are all connected. Even with the medical devices as well. And if you look at that, there’s a lot of area that we cannot do the data patching in a timely manner. We cannot do that security patching in a timely manner, and also to upgrade the system to the latest version, for example, that we left lots of security holes that will become the opportunity for those malicious actors.

The first area I think you look at that is the lower security maturity level. This is really talking about the people side. In a healthcare setting with a very professional healthcare clinicians: nurse, doctor, allied health professional. They are really professional in their healthcare area. However, they not necessarily have the right level of awareness.

And in fact, if you look at the healthcare sectors, I think our awareness probably is below average. So this is really lots of area that we need to enhance the But if we look at the dark side, from the malicious actor perspective, they will become a perfect storm for them. Because there’s a handful of stuff that easy to exploit.

There’s a lot of legacy system you can exploit. And the data value is very high. So combining the three perspectives together, I think it’s the reason why we are really a prime target.

Mikki Smith: I don’t have anything substantive to add to what Fuller did. He gave a full picture of the value of the data. I think one of the things that Fuller pointed out that’s key for maybe patients or laymen in the health sector to be, I would say, aware of is, as you compare it to a bank, the value of it, one, it’s a whole of data, right?

So as Fuller mentioned, you have one place for not just financial data, right? You have payment data, you have health data, you have personal data, you know, address, phone numbers and things like that. In their composite altogether, you know, this becomes very valuable because it’s not just data that can be used at the moment for, let’s say, taking social security numbers or unique personnel identifiers from other countries and using that to, you know, steal identities.

But we’re talking about data that overall becomes not less valuable, but more valuable, right? As you look at a whole-of-data approach, if I have somebody’s health data records that includes all that, you can begin to see with some analysis and drilling down how that data in mass can start to pose a considerable threat to patients and our safety and our ecosystem, as well as being able to be more attractive and more valuable to those that would use that data maliciously.

Katie Bryski: And it sounds too like as emerging technologies like AI and quantum decryptors, you know, some data that may be safe today, may not be safe down the road, it sounds like. Like, I’ve heard of harvest and store.

Mikki Smith: That’s absolutely right, Katie. I mean, when you think ahead, everything that you add to that starts to become a more and more attractive and rich target.

I think Fuller really hit on it when he talked about the different elements of the data. And then also we’re looking at a system and an ecosystem that is not practiced, right? Like Fuller mentioned, you know, the financial industry, because money is quantifiable, right? We know a dollar is a dollar, but it’s harder than to quantify, you know, what that health data really is, particularly as we mature on it.

And Katie, as you said, start adding to those data elements. It’s a global push that we all want to be able to have all of our data, you know, readily accessible and easy to get to, and also be able to leverage that data for our own healthcare and our own health concerns. So I want to be able to take my data with me to my specialist, to my primary care provider.

But every year as we add on to that, it makes that data ever richer. And ever a more attractive target because even today, that data on the black market is still very, very valuable. And we’re talking thousands of records that you could potentially, if you were a malicious user, could potentially profit.

Shelagh Maloney: It’s interesting that one of the things we talk about in health is the importance of having the information flow for exactly the reasons, Mikki, that you just highlighted. And we also hear often with respect to health and data is that it has no borders, it doesn’t understand international borders. And so Fuller, I wonder if you can talk a little bit more about the international collaboration that is the Global Digital Health Partnership, or GDHP, and specifically talk about the cybersecurity work stream, what it is that you’re doing and who’s in it.

Fuller Yu: Yeah, thank you. I think the reason why we need to have a global collaboration is if you look at the cybersecurity, uh, it’s not a single city or country’s issue. It’s really a global issue. And if you look at those in malicious actors, they work in a very collaborative manner. They work very closely and they does know any boundaries in terms of the country or national.

So I think it’s a global issue. And if this is a global issue, I think there’s a reason why we need to work together. And I think this is the reason why we have the global digital health partnerships. We really want to have a body, have an organization that work together to really to discuss the cyber security risk and to defend our own healthcare systems together.

I think our work stream is really here to advocate the cybersecurity technologies process and practice across the globe and to really focus on the healthcare industries and make sure we can protect our patients, protect our information.

So I think that’s the reason why we have this organization, and as one of the members I see a lot of benefits by joining this organization: that we can learn from each other, we can share the challenge and we can hopefully we can create some of the international standards that can help us to lift up our cybersecurity maturity model and then we can also focus on the common issue, common challenge.

Shelagh Maloney: Can you tell us a little bit more about the countries that are participating in GDHP? I know that there’s a mix of countries who are maybe a little bit more advanced, and a number who are maybe newer to the game, less sophisticated when it comes to cybersecurity, which I suspect is a great advantage for them, simply because they get to take advantage of, you know, learning from others and learning from more experts globally.

And I understand that the work stream has a new deliverable out, the Model Security Notice. Can you tell us a little bit about that?

Mikki Smith: Yeah, absolutely. So we have a number of countries that are participating in the cyber security work stream. We find that we get a lot of participation. So just a sampling of some of those are Australia, the Netherlands, who is currently serving as the overarching GDHP chair.

We have, of course, Singapore, South Korea, and. other smaller member states that join us to talk and learn, like Fuller said, to exchange good information about where we are, because some health ministries in our global space are very far along. Like, for example, Fuller and their program, very far along. We’ve been had the opportunity to visit Hong Kong last year, and it was extremely informative the things that they’re doing in the health information technology space, but also the very mature cyber security operations center that they have, how they’re responding to incidents and how they’re sharing that information across the board. So being able to exchange information like that with our member countries is invaluable because all of us, I think, take that back to our own programs and say, you know, here are some of the things that we can do. In addition to that, the cybersecurity work stream is trying to be a little bit more, I would say, maybe aggressive, about providing guidance and doing something, a cybersecurity deliverable every year.

So Shelagh, as you mentioned, we had last year, our model security notice, which we’re still formalizing and trying to get support for posting and making available for public use, but that model security notice was sort of a self-attestation for any health IT developer: a tool that would help them walk through attesting to the security considerations that they have built into their health digital technology.

We had something similar in the U. S. for privacy, but we didn’t have one that was security focused. And one of the things that I know Fuller and I make sure that we hone in on is that when we say cyber security, we’re not necessarily leaving out privacy, right? Because that’s a big part of it, is the confidentiality of data and privacy also has its own separate information discipline and can also generally be in the legal space. I know in the US, it is.

So making sure that we can share things that we can adopt and tailor for a global audience is a big part of what we want to do at the cyber security work stream with the member countries. So the model security notice was one of those things, and we are looking to publish some companion guides to go along with that and make that available, hopefully on the GDHP.health site that is publicly accessible to the health sector.

So shameless plug for going out to GDHP.health and learning, learning more about not just the cybersecurity work, but all of the work streams and all of the important work that they’re doing there.

Katie Bryski: No such thing as a shameless plug on this podcast.

We are always happy to link out to the excellent work that’s happening. And we will put a link to gdhp.health in the show notes. But Mikki, you raise an interesting point too. All of these different countries that are collaborating and they’re sharing information, their contexts are all very different, right?

Our health structures are very different. Sometimes our government and legal structures are very different. What is both the challenge and the opportunity of bringing all of these vastly different perspectives together?

Mikki Smith: That’s a good question, Katie. I mean, you know, I think that you’re absolutely right.

You’re right. Everybody’s health ecosystem across the globe is different. One of the challenges for the US, let’s say, for example, is that our health, except for the one government run program for Medicare, our health system is largely private. Particularly my agency, we don’t regulate them. Right? So a large part of our challenge is encouraging them and then collaborating with them to adopt cyber security practices internally, whereas there are some of our member countries who have the ability to because of their sort of national health system profile, they have the ability to sort of really kind of inform and mandate certain cyber security requirements.

But what I will say is even with those challenges. One of the things that remains constant is the maturity of the ability to implement cyber security best practices. Everybody is faced with that same challenge across the board. And so bringing together a collaborative like this really does help us to come up with strategies that Leverage our collective knowledge in this space and say, “What are some of the things that we may be able to inform?”

And even if it isn’t something that we take on as, let’s say, a cyber security work stream project as a part of GDHP we are able to share frameworks, for example, cyber security frameworks. What are the guidances that we all have around medical devices? And then how do we then share that and make that actionable?

For other countries who may not have made as much progress in a certain space. One of the things that I love about the cybersecurity work stream is it’s being able to balance that strengths and weaknesses. Some people are just starting a particular program and they can leverage a more mature countries like Hong Kong and us and Australia to get, let’s say, a jumping off point, right? They’re not starting from zero and we’re a built in support system for each other to be able to reach out and say, you know, we’re just starting this framework. We know the US is very mature in this framework. How do we get there? You know, what are the steps to helping us get there and being able to share that?

Across the board. And I’m sure Fuller would agree that I don’t think we ever walk away from our exchanges without feeling like we’ve helped each other, but also gained, you know, for our own cybersecurity efforts that we have in our nations.

Fuller Yu: I fully agree with you, Mikki. I think this is the reason why we have our project in the GDHP, and that’s why we keep encouraging different countries to join us, to really uplift the maturity level.

Katie Bryski: So one of the things I find so interesting about this work stream is In healthcare, right, we often talk about leveraging what we have and collaborating and building on shared best practices. And I think this work stream is such a great example of those concepts in action.

Something else I have seen with the cybersecurity work stream is that you are really focused on educating and empowering and bringing people in. So as I think about myself and some of the listeners who are tuning into this podcast, you know, we may have some cyber security knowledge, but not necessarily be experts, you know, cyber security may not be the main area of responsibility.

But being aware that cyber security is everyone’s responsibility. What are maybe one or two pieces of advice you would have for people in that position? Like, what do you think would be helpful for them to know or to keep in mind?

Fuller Yu: I think the biggest issue or the factor, I think, always is the human factor, number one.

Number two is, I really say that even if you are not primarily responsible for cybersecurity, you may not be a cyber leader, but I would say that cybersecurity is a team sport and everyone has their own responsibilities. So if it is a team sport, that means that everyone should have a place, have a role to play.

I think this is equally important regardless you are just an end user or you are a cyber expert. Because if you look at from the cyber security incidents, most of the incidents start with a user, uneducated user, just click a phishing link, or open a malicious file, or attachment, things like that. So I think the human factors is very important.

And I think every one of us in the organization have an important, crucial role to play. For example, I think everyone should receive the education, Uh, should be equal to just, um, doing nothing, but detect phishing email. Very simple, right? So what’s the criteria of the phishing email? What’s the human emotional factor that’s being leveraged to create a phishing email?

And what’s our response, well, way to block the phishing email and to detect and to respond to phishing email. If we can do this, it’s just a baby step, but if more and more employees or more and more people, I mean, colleagues in an organization, we can do that. I mean, the whole organizations, the culture will be increased, will be enhanced.

The maturity level will also enhance. And this is a less way to create a phishing email being clicked and create subsequent incident. And this is really, uh, from the top of the house that to provide a key message that awareness is very important. Everyone should really pay attention on that.

Finally, I think it’s worth to really make sure that awareness is not only for the colleagues at the professional setting, but awareness should be also benefit to the personal life because everyone we are all more have our digital footprint.

We go to shopping online. We do our, whatever things are online. The cyber literacy, I think is very important. So that those are where those information tips would be not only good for professional time, but also for our colleagues’ personal time. So I think this is a good, good to share with that.

Mikki Smith: So I love this topic a little bit because it always reminds me of Katie’s, you know, coined term cyber curious, right? Like, you may not necessarily be a cyber security professional, but you’re cyber curious. And I love that because we actually want people to be cyber curious, right? So Fuller’s point about not just impacting your professional life, it does impact your personal life.

And having this sort of awareness around cyber security and its importance in the health sector, of course, but it just in general also helps raise that level of awareness around cyber security, and it takes away some of the mystery, right? Like Fuller said, you know, even something as simple as a phishing email can make the difference between reporting, blocking and reporting that as spam or clicking on it and suffering a huge event that makes national or international news, which we all have experienced, and not, not so long ago.

Right? We’re talking recent, recent times. Um, so that’s really. Important to become cyber curious people to become familiar with the language of cyber security. And what does what are some of these best practices mean? And we’re not talking about super high technical terms, right? We’re talking about things that we do every day, like passwords and authenticators and, you know, using our apps to Unprecedented ways, particularly in the health sector, making sure that we’re leveraging security to protect that data, right?

Like biometrics that we have now and those things. We’re all familiar, I think, with those things, and that helps to take out the mystery. Of some of those protections, and it also helps to raise awareness with those people that are generally cyber curious and also gets them to sort of dig in a little bit more on what else can we do to protect our information?

That’s a big deal in health sector because you do have mostly clinical practitioners that are not necessarily cyber security experts. But to Fuller’s point, the cyber security experts are here to sort of implement that holistic approach of cyber security from a layered defense perspective to help educate the community because, as Fuller said, we all have a part to play.

Right? It’s a team sport. It’s a shared responsibility and we all have to do our part, particularly if we’re connecting right in exchanging data, but for the person that necessarily is not a part of their day to day, One of the major things that we want to do is make that awareness point to say, these are some best practices that you can use.

Here is some guidance that’s easily ingestible and actionable that you can leverage in your organization or in your personal life.

Katie Bryski: As a personal attestation, definitely the cybersecurity training modules I have to do every year at my day job have absolutely saved me in my personal life. The awareness is important.

And maybe as a closing question, you know, we’ve talked a lot about some of the trends in cybersecurity. You’ve both used words like journey and transformation. I think underscoring that cybersecurity is a moving target, right? And the system is more complex and technology is changing. So as cybersecurity leaders, as you look to kind of the future, how are you feeling?

Like, are we ready for what lies ahead of us? What can we do to prepare?

Mikki Smith: I’ll start, because Fuller will have some good insight on this too. But yeah, I think one of the things that as even in the collective of the cybersecurity work stream, but just in general within our individual organizations, and I know this has impacted Fuller too, is the discussion of, you know, highly advanced technologies that propel us forward in an IT space and then catching up from a cybersecurity perspective.

Right, we’re all talking about artificial intelligence, quantum computing, and the ability to sort of take massive amounts of data and not only analyze that data, but trend set on that data and do prediction decision making on that data based on these advanced technologies that will be coming out.

Are we ready? Of course we’re not. No, we’re going to be as ready as we as we ever are, right? One of the things that I’d like to and I’ll be interested to hear what Fuller has to say, but one of the things that I like to talk, I just talked about and address an AI work group and I’ll be talking to another AI work group tomorrow.

Yeah. One of the things that I like to make sure that I ground everybody in is that cyber security principles do not change. It doesn’t matter what the technology is right. Those protection mechanisms. And when I say the principles, I mean foundational principles. I don’t mean the Technology and configuration settings.

I mean, making sure you have a contingency plan and backups, making sure that you have policies and procedures in place, making sure you’re conducting training, making sure that you are changing passwords on a regular basis or moving away from passwords and going towards more multi factor and token based authentication methods.

Those are foundational principles of cybersecurity that we all can understand and that don’t change even when technology gets more advanced. So, when I speak to groups that are like, why, you know, what do we have to worry about now with AI and cybersecurity? It’s the same thing you had to worry about before.

These are the same practices that are going to, as Katie mentioned, save you as you’re adopting these more advanced technologies. There is a part of that that is going to require more technically, you know, educated cyber security professionals in terms of architecting the solutions and making sure that as we talk about with the cyber security work stream that we’re implementing things with security.

I design meaning that we’re putting security into our designing concepts as we go forward to roll these technologies out. So if you have a project in your cyber security professional and you’re adopting some of these newer technologies that are coming out, you’re going to want to think about those security practices on the front end, not the back end.

Which is something that we’re still recovering from in the health sector, right? Is cyber security being retrofitted in after now? I think because we have this strong awareness will be talking about building cyber security in to your design on the front end. That is what I think is going to be really key as we look to leverage some of these powerful technologies that really are going to help propel us forward globally.

But also we want to make sure that we don’t open ourselves up to being vulnerable by not considering cyber security on the front end of those adoptions.

Fuller Yu: As Mikki mentioned about the security by design and security by default, I’ll make a touch base around the people side. Cybersecurity, I think, is a very growing market, growing business.

In fact, if you look at just, I think, this year, the World Economy Forum, they issued a cybersecurity report saying that globally there’s a shortage. We’re talking about four million cyber security professional shortage and this four millions is that the four millions demands is yet to be filled, so I think at the individual level if you are listening as a parent I really want to encourage my kids to really to consider the cyber security industries.

And as in the current is really a digital world, I think everyone talk about generative AI. We talk about lots of the new technologies that involve AI. That is really a lot of cyber security’s demands for data. So I think from the individual perspective, this is the one thing.

Mikki mentioned, make sure you understand this is a team spot. And if you’re a managers, uh, you’ve a leaders that make sure, um, the cybersecurity is not an IT issue, but it’s really a enterprise of risk issues that should be discussed at the board level. Finally, I think I’m quite positive because even there’s lots of incidents, lots of bad things happens.

It really means that we still have the way to win the game. And I think by winning the game, we need to work together and everything we came to victories and make sure we can create better, safer and more reliable internet and a more reliable digital world for all of us.

Shelagh Maloney: It’s been lovely talking to international guests today, not only international guests, but unicorns.

We need more of you in this world.

Mikki Smith: No, thank you for the opportunity, Shelagh and Katie. I really, really appreciate it. Any opportunity to highlight what we’re doing with the global digital health partnership and the cybersecurity work stream. Fuller and I are always looking for interested participants.

So please, if you are listening and you’re interested, just reach out to us at, gdhp.health.

Katie Bryski: And we will put links to all of this in the show notes. Mikki Fuller, really appreciate your time today.

[Musical interlude]

All right.

Well, what did you think, Shelagh?

Shelagh Maloney: It’s a great discussion and by the way, Katie, congratulations. You’ve coined a new term. Maybe this will pick up some traction. Cyber curious. It’s a great term and I think everybody needs to be cyber curious, but, you know, it’s interesting. Everyone understands that security and cyber, it’s important, and I just wonder how many incidents we don’t know about. But it’s great to have awareness and human factors and there’s probably so much we can do to protect ourselves.

And I love the notion that it’s everything that you do at work, but applies in your personal life as well. And to your point that you made earlier is like. You know, I do that training as well. First of all, I have to say the training has gotten so much better. Now I’m seeing cartoons and it’s a four minute video.I have to watch, but it’s really informative and it’s well done. It’s not somebody reading something.

But that, you know, “It will save us in our personal lives and in our professional lives.” And the other piece I want to pick up on, I’ll let you talk first, though, is around that culture. And building a culture of cyber curiosity or cyber literacy and just having people know that because nobody wants to be the person who brought the company down because they made a mistake.

Katie Bryski: Yeah. You know, I’ve joked before. I never know, if I feel terrified or encouraged after I talked to cybersecurity experts, because on the one hand, the stakes are so high. And some of these malevolent actor, they’re very good at what they do, right? It can feel overwhelming, but to Mikki’s point, I think having that cyber literacy and that cyber curiosity does take some of the mystique out of it so that you do feel like you can do something.

Because I think that’s a lot of the reason why it can feel easy to be overwhelmed by cybersecurity, right? You feel like one grain of sand against a huge machine. So if you kind of have the set of guiding rules to steer by and you pay attention and, you know, you keep your wits about you. I think you can take care of yourself perhaps a lot more than, than you might have thought otherwise.

With the caveat that we should always be leveraging and leaning into the cyber security experts that we have at our disposal in our own organizations and around the world.

Shelagh Maloney: You know, it’s interesting. I was at a session a week or so ago and one of the comments was that what cyber hackers do, and cyber criminals do, is they create a sense of urgency.

And they feed on people’s ability or desire to help. And so when you think of health care, a sense of urgency is definitely there in spades. And people who go into the health system are usually people who want to help others. And so it’s a perfect environment, the perfect storm, as it were, for these kinds of things.

And the value of health information, as was discussed by Mikki and Fuller, You know, raises those stakes even higher. But to your point, and to Mikki’s point about the principles being consistent and it’s common sense in a lot of ways. If you are questioning, if it’s too good to be true, you know, take action or don’t take action as it were.

Don’t click until you verify. And I love this global aspect of it. The GDHP Cybersecurity work stream is an excellent example of building and leveraging best practice and learning from one another. We talk about that in healthcare all the time, but we’re not necessarily great at doing it. So this global initiative, bringing people together to be supports for one another, to learn from one another, is a really, really great example of building in best practices and leveraging our expertise.

Katie Bryski: Yeah, and again, I think it ties into that creating a culture of security goes fuller that talked about that like it’s not just the tech. It’s also how we as humans operate, right? I think the people side of cyber security and the people side of digital health broadly is an important piece to keep track of.

So approaching it with that lens, I think, is a good reminder.

Shelagh Maloney: And speaking of reminders, it is Cybersecurity Month, so this is a perfect time to launch this podcast and be inspired and be informed. Hopefully this will help people listening to make themselves more aware.

Katie Bryski: So I’m sure there are many great resources on the Digital Health Canada website if you need something to tide you over before our next episode.

Thank you for joining us. We will see you next month, right here on Digital Health in Canada, the Digital Health Canada podcast. Thank you for listening to today’s episode. Digital Health Canada members can continue the conversation online in the Community Hub. Visit DigitalHealthCanada. com to learn more.

Be sure to subscribe to the podcast to get new episodes as soon as they’re available. And tell a friend if you like the show. We’ll see you next month. Stay connected, get inspired, and be empowered.