Turning points in life can come when we least expect them. And that’s just what happened to 16-year old high school dropout Phil Alexander when his Dad told him to get off the couch and find a job selling cars at one of the local dealerships. For Alexander, the exercise in persistence led to a position that taught him how to sell, and that – along with focusing on the basics – has been a cornerstone of his cybersecurity success. It’s a recipe that can work for anyone, he says, even passing around copies of his go-to tome, “Extreme Ownership,” by former Navy Seal Jocko Willink to get across the point that when confronted with failure, we need to look in the mirror first. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Alexander covers these issues and many more.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
- KTLO B&T
- Talk Risk, not Vulnerabilities
- A Diverse Background
- Extreme Ownership
- Practicing Persistence
- It’s All About Leadership (Even Cyber)
- Operationalizing BCP
- Help on the Way?
Anthony: Welcome to healthsystemCIO’s interview with Phil Alexander, Chief Information Security Officer with North Mississippi Health Services. I’m Anthony Guerra, Founder and Editor-in-Chief. Phil, thanks for joining me.
Phil: Thank you, Anthony. Appreciate it. Glad to be here.
Anthony: Good, looking forward to it. Do you want to start off by telling me a little bit about your organization and your role?
Phil: Sure. I am, as you said, Chief Information Security Officer here at North Mississippi Health Services. We are the largest rural health system in this region. We have seven hospitals spanning Northeast Mississippi and North Alabama. Of course, many, many clinics, hundreds of clinics and nursing homes, and we’re also a payer as well as a provider. Lots and lots of history, almost 100 years old. And very proud of our region and the people we serve.
Anthony: Excellent. So I think the rural thing will come up in our discussion. I know there’s some unique challenges around cyber that rural organizations face.
Anthony: But I want to ask you a wide-ranging question and just see where you want to go. So you could either answer, what are some of the trends you’re looking at or some of the things you’re working on, if you’re comfortable with that. But just in general, what’s on your mind?
Phil: Yes. I mean, obviously, I try to keep my team focused on the basics. And it’s not the sexy stuff, nobody likes to talk about the basics, but it’s the basic, old-school stuff that’s been going on since the ‘90s, early 2000’s. I mean, do we have – heck, do we have anti-virus on everything? Are we patching? Are we updating? How’s our firewalls? I mean, all of these things everybody should have – should is the key word. And so, I try to focus on that. But at the same time, all of the Hollywood lights and smoke and mirrors pops up like AI and robots, and we can’t ignore the new stuff. And so, when those things come up, I call them fad stuff. And I’m not saying AI is a fad. I’m not saying it’s going to go away. I’m not saying bots are going to go away. We’re using some of those in our hospital. Those things are starting to happen, and we have to address them from a security perspective.
But at the same time, we don’t want to get too far in advance. We don’t want to go too far too quickly because a lot of things are – I think about for instance Google Glass. I remember when Google Glass first popped up, right? Everybody wanted to use Google Glass in the healthcare setting. I had physicians, I was in an academic medical facility at the time and we had physicians who were also teachers at the university. And so, they wanted to use Google Glass during their surgery. Great use cases. I mean, I’m not saying they weren’t great ideas, but that quickly faded. It didn’t last long. And so, you think about ChatGPT and some of the other technologies that are coming around and we’ve got the same thing. We’ve got physicians wanting to use it today.
And so, we have to address those pop-ups as I call them. I think AI is here to stay, and I think it’s just going to flush itself into our culture and we’re going to have regulations. We’re going to have processes in how we do it. But I don’t like my team or the hospital to focus too much on those big pop-ups like that. Let’s keep focused on the day-to-day boring, everyday stuff that really, at the end of the day is the core foundation of security.
Anthony: Yes, it’s funny, what if you had put your whole team on Google Glass? “We’re not doing anything else. I want you guys on this.”
Phil: “Let’s see how we can secure it. Let’s work on it. Do all this stuff and spend a lot of time,” exactly.
Anthony: Good stuff. So blocking and tackling is important. Everybody knows it’s important but it’s not easy. Why is it hard to get blocking and tackling right?
Phil: Well, before I joined this call, I was just on our annual budgetary call with the CFO. And so, I think that’s the key, when you’re trying to explain it to the CFO or CEO, those blocking and tackling things. First of all, it’s easier to get funding for new, sexy initiatives, right? Virtual care, something new that’s – these robots. “We have staffing problems, so let’s get some bots to take over.” Those make sense because those are cost-saving initiatives. But oh, “We need more space or we need storage or we need VMs or we need to upgrade from an ’08 server that’s been around for a long time. We need to get off of that to something newer.” Trying to explain that blocking and tackling basic stuff from a budgetary standpoint to a CFO or CEO is difficult.
Second of all, even in IT. I mean, a lot of times, the basic stuff doesn’t get the love it needs because people want to work on the newer stuff. The basic stuff gets left behind. And there’s so many projects. We are trying to work on projects that are for the customer. That’s what gets project management’s attention. The blocking and tackling never get listed on a project management list for the next year. And so, you have X amount of hours spent or budgeted of resource time for capital projects. But unless you have a very dedicated PMO process that also allocates the KTLO hours in your PMO process, then those get left behind. And so, it’s very difficult. You’ve got finance. You’ve got PMO. You’ve got IT. Everybody forgets about the basic blocking and tackling items of your firewall maintenance, patch management, all that basic stuff that’s got to get done every single day. They take time but all the time goes into the sexy capital projects.
Anthony: We’ve got some good acronyms there. I don’t know, can we use B&T for blocking and tackling because we already have KTLO. Should we combine those? We’ve got B&T, KTLO.
Phil: That’s right.
Phil: Yes, yes. That’s right. I know.
Anthony: It sounds like a radio station, KTLO.
Phil: KTLO, that’s right. WKTLO, coming to you live. Yes, I get harassed all the time. I used to work in the government, so I use a lot of acronyms. But yes, for those who may not know, keep the lights on.
Anthony: I got it.
Phil: Yes, yes.
Anthony: So B&T, KTLO. So you mentioned that – we understand that. You’re talking about robots and things like that and maybe people get excited because they say, “Oh, there’s a PR element to this,” right?
Phil: That’s right.
Anthony: There’s a marketing and PR element to this and it’s cool stuff. You want to put on a new server. That’s not so cool, okay. But I guess it’s part of your job to do that difficult explaining. To explain why the boring stuff has to be funded, right? So that’s part of your talent that you have to bring to the table is, explaining it. I guess, turning that technical speak into maybe risk speak, right?
Phil: That’s right. Exactly right. So you hit on the point, I think a lot of CISOs make a mistake by using the word vulnerabilities and they try to talk vulnerabilities. “This is vulnerable, blah, blah, blah,” but they don’t talk risk. And senior executives understand risk to the organization. So you’ve got to talk risk. That’s the word they understand.That’s the model they understand to the business. And if you can explain it to them as a risk to the business, not to cyber but to the business, because cyber risk is business risk. And so, you’ve got to translate that and what it’s going to cost and what’s it going to do to our organization and time in terms of if we’re down, if we lose it, et cetera, and you’ve got to be able to explain that. That’s what I was just doing on the budget call just now. Not my security tools, but I have infrastructure guys who have some stuff in the capital budget. The CFO was asking, “Why are we funding this? What are we doing this for?” The infrastructure director is sitting there going, “Uh.” So I have to jump in and say, “Let me explain the cyber risk if we don’t do this. It’s not because the infrastructure guy just wants to go do a bunch of new stuff.” I’m the one who said we need to do that.
Anthony: It’s really interesting. So most CISOs come up out of infrastructure, right? Networking, infrastructure, they come out of that line. That’s not really where you learn how to speak business speak, right?
Phil: I’ve built two programs. Now this is the second time I’ve built a program from the ground up. First at UMC Health System and now at North Mississippi Health Services. Both times, I’ve got vendors, I’ve got auditors. Others say, how are you doing it? When they come in and they see some of the stuff I’m doing, how are you doing it? And I tell you, once they learn my background, then they go, “Oh, okay. It makes sense.” Almost like it’s a cop out. Almost like oh, you’ve got – it’s like an excuse. I didn’t come from that IT technical background. My degree is in psychology. I was a car salesman for many years and my dad owned a car dealership. And so, between sales and reading a lot of Zig Ziglar, right?
Between sales and psychology, and then I was in the Army as an intelligence analyst having to brief generals and pilots and others on the intel threat. All of that makes me who I am. So I do understand background comes into play. And so, what I do is when I talk to – in fact, I have a mentorship program that I work on and every other Friday I meet with four or five up-and-coming CISOs. Folks who want to be CISOs, or security managers or directors who want to be CISOs. And I tell them all the time the same thing. I’ve got folks on there that are great technical minds, but they can’t speak at an executive level. They don’t have executive presence. And so, I provide them – send them books or resources that they need to work through. I’ve even hired myself an executive coach to talk through those things and figure out where I’m lacking and where my gaps are. And so, we have to understand where our gaps are. We can’t just say, in my organization, this is going to work. There’s different levels and those executives, if you can’t speak on their level, you’re going to be frustrated and go, “Why am I not getting the funding, and why am I not getting the support that I need?” It’s because they don’t understand a word that you’re saying.
Anthony: It’s so easy in that situation to blame them in your mind.
Phil: That’s right.
Anthony: They don’t get it. They don’t understand. But that’s not going to get you anywhere. That’s not going to advance your cause. You have to look at yourself and say, why don’t they get it? Am I doing something wrong?
Phil: Yes. And I’m a big Jocko Willink fan. He’s an ex-Navy SEAL. He wrote a book called, Extreme Ownership. And so, I buy that book for every new employee that comes on board, any one of my analysts, and we do an offsite once a year just around that book, Extreme Ownership. And we take ownership for – if we try to sell something, whether it’s to an executive or an IT person, even my security analyst, if they go to their IT cousins and they say, “Hey, we need to do X, Y, Z,” and they can’t get it sold, it’s not they who have a problem understanding. It’s me who are having a problem selling it. And so, I’ve even brought in a coach to my team to teach them the three-part elevator pitch. Three minute, three-part or four-part elevator pitch in three minutes. You’ve got to learn to sell. You’ve got to learn to talk to your audience. And so, it’s always my fault if they don’t buy it. And so that’s what we have to understand. What did I do wrong? What can I do better next time to get that message sold?
Anthony: So it’s interesting, a lot of people who aren’t forced to do sales at any point, they wind up thinking it’s a dirty word, but everyone has to sell in one way or another. When you sold cars, did you work for your dad?
Phil: No, I didn’t actually. Yes. When I was 16, I dropped out of high school and was a bum on the couch. And my dad one day called the house and asked my mom, “What’s Phil doing?” Well, he’s still on the couch watching TV, right? And so, he said, “Send him to my office.” So I go into my dad’s office and I go in there, which is never a pleasant experience at 16. And he gives me the speech, which happened to be a linchpin moment in my life. And he gave me the speech that everybody in town is hiring, you just need to go and get hired. Everybody is hiring. Every manager, their mind’s got somebody on their team they’d love to get rid of if they could find the right person.
Phil: And so, he said, “I want you to find this place here in town that you want to work at. You go there and find out what time they open up. Be there 30, 45 minutes early and find where the manager puts his key in the door and you’re standing right there.” So the next morning, I went to one of his competitors. And I went to that car dealer – I didn’t tell him because I was just going to do it to spite my dad. And so, I go to the competitor and I was there at 5:30 in the morning because that’s when Les Owens, the manager, was there. He was putting his key in the door and I told him I said, “Yes, I’m looking for a job.” And Les says, “Sorry, I don’t have anything for you.” Okay, great. I was excited. I proved my dad wrong. They’re not hiring. You said everybody was.
So then, my dad told me at supper, “Well, what did you do?” I told him. He said, “Good, go back tomorrow.” What? He said, “Go back tomorrow.” I went back every single day for six days straight and then I said, “Dad, he’s getting mad. Do you understand?” He goes, “I’ll tell you what, you go back tomorrow and you tell him, listen, I’m not coming back. This is my last day. You’ve just lost the best salesperson you’ll ever have.” And Les hired me that day and changed my life. And I went to work for him and it was a life-changing experience. It taught me that if you want it, you have to go get it and you can’t make excuses. You just go do it. And of course, then that got me into the sales game. But anyway, so yes, I did have that experience early on and it’s helped me. But again, there’s other experiences I didn’t have. I was still shy even though I sold cars. I finally went to college and I took some public speaking lessons. I couldn’t speak very well. And so, in college I decided to take some public speaking courses because I knew that was a gap I had.
Phil: And so, throughout my life, I still look and say, where am I weak? Let me go work on that. And what’s funny, we’re talking here and we’re talking about cybersecurity and what we’re talking about really is leadership stuff, right? And that’s what it’s all about. I’m writing a book right now – a little shameless plug. I’m writing a book right now on the key components of a cybersecurity program and it’s all about leadership. As I’m going through each chapter, I’m like, I’m not writing anything about patch management or anything like that. Security leaders, and I’m talking about even managers and below, if they cannot work with their IT brothers and sisters and get them to understand why that should be baked in, if we can’t operationalize security with our operational components, if we can’t deal with their executives, we’re going to fail.
And it’s not just knowing – like you said, Anthony, it’s not just knowing the technical side. If we cannot operationalize what we do by selling it to the executives or even our counterparts in IT, we’re going to fail, and it’s our fault. And so, part of that is understanding our leadership abilities and our sales components. How do we sell?
Anthony: Yes, and then you’re talking about interacting with IT. What about interacting with clinicians?
Anthony: I mean, that’s even a whole – that’s a much further elevated skill set right there, right?
Phil: That’s right. That’s right. But I think today, we have it much easier than – I’ve been doing this for over 20 years. Much easier today because the word is out and I’ve even got providers now, physicians that come to me and say, “Hey, I work on EMR X. That’s my platform. Do we have it backed up?” I had one the other day ask me that. That would have never happened 10 years ago, for a doctor to be asking if we have software backed up. But he was concerned that what he does for a living could stop because he’s got people that he knows, other physicians in other hospitals, that got breached and had ransomware and there was no backup. So he wanted to make sure he was okay. So he started understanding that. So I think today, we have it a little bit different because it’s hit the news. There’s doctors who have friends who were in other hospitals that have been breached. And so they’re getting the word. So it’s a little bit easier, I think, to talk to those clinicians than it was in the past.
Anthony: And I think that’s absolutely right-on because they say you have to frame things. Risk, you’re talking about framing things in a risk sense for executives. Well, when you’re trying to talk to clinicians, they say you frame it up in patient safety.
Anthony: But as you said, it’s not a hard sell anymore. I think any clinician that puts five minutes into thinking about it is scared to death of losing the systems that they use to do their work every day, because they have no idea how to do their work without the computers. They don’t. So as much as everyone talks about backup procedures and tabletops and things like that, I think everyone’s in a real trouble once the system goes down. No matter what things you’ve done.
Phil: That’s right. No matter what it is.
Anthony: Because I don’t know how much people are really running through. Clinicians, getting them to know how to work on paper. I don’t think that’s happening. Do you?
Phil: No, no. That’s right. And so, I have a BCDR manager that works for me and she’s doing this business impact analysis. Our business impact analysis with our operational folks, she does all the major silos as system-level areas every year and goes and talks to them and says, “Listen, if you lost it, how long can we be down? How much data can we lose?” All of those different discussions with them. When we talk to the doctors, they’re like, “Um, I think IT handles all that, right?” I understand but I’m asking you, what’s your appetite for loss? And of course, then they get the saucer-eyes when you start talking about it. Then it becomes real and I think if you have those conversations, that’s what I was talking about in terms of operationalizing. If we don’t have those conversation operationally, it’s a problem.
I have a cybersecurity council that meets every two weeks. It’s got my executives on it. We’re about to stand up a subcommittee for IM steering and have a bunch of nurses and others on that committee, not IT people. Have the operational people pull back the curtain, put them on those committees, on those councils, on those governance councils and it changes the conversation real quick because all of a sudden they see the risk. You’re explaining it to them every month what’s going on – not just some quarterly report. These aren’t reporting. These are making decisions. And so, I think that’s the key is it’s bringing them in to the conversations. When we start talking to physicians in that way and letting them get a voice, it’s a big difference.
Anthony: When it comes to BCP, where does the CISO responsibility end and the individual department’s begin? For example, you’re not going to make sure they know how to function on paper, right? Or does the overarching hospital business continuity department (that would also cover hurricanes, etc.) cover that?
Phil: Right, yes. That’s a great point. So in my last organization, that’s exactly what happened. We said we will do the business impact analysis. We will provide some draft copies or some templates on your business continuity plan. Here’s a great plan if you want to use it. We even gave workshops. We did these quarterly workshops where we would let them ask questions and we had the templates there and helped them fill them. But we’re not going to do it for you and we’re not going to keep it up to date. That’s your job. You need to make sure your business continuity plan is up to date, make sure where it’s at, make sure you drill it. I make sure that my business continuity and disaster recovery manager have a seat on the safety committee. The hospital has a safety committee like you’re talking about and there’s a person in every seat from the different parts of the organization.
And so, annually, when they build out their tabletop exercises, there’s a cyber event built into those as well. Or if they say, “Hey, we’re going to do one for tornado. But guess what, tornado also takes out networks and power and other things.” So it’s also not just, “Oh, we lost part of the building,” because that might be the power grid area of the building. Let’s think what all would happen. And so, it’s not just about moving patients from one part of the building to the other, it could also mean network outage at the same time. So can we dual role this tabletop, and that has been effective as well for them to think outside the box because you’ve got power people in there. Power, space and cooling people in those tabletops. But in the past, we’ve lacked having the cyber side of the house, somebody from IT. So I think you have to have a seat on those committees and talk through it. But you’re absolutely right. I think there’s got to be a decision line.
I’m starting to hear that shatter across the cyber spectrum as well around the risk level or the risk area. Where’s a cyber risk and organizational risk? So every organization has a risk person whether it’s a C-level person or a director of hospital risk. We hear it now from American Medical Association; I think it is said that cyber safety is patient safety or cybersecurity is patient safety, right? And we know that cyber risk is a healthcare risk or a hospital risk or an organizational risk. So shouldn’t our risk then be reported to the operational or the organizational risk manager or director or chief? Shouldn’t they be tracking that? If this is a number one risk, for example, we’ve got a major problem here with our data or whatever, it’s massive. Shouldn’t that be on their radar? Shouldn’t that be an organizational risk? And it should.
Anthony: I would think so.
Phil: Yes, and it should. And so, I think a lot of organizations still haven’t risen to that level to where their organizational risk person is in alignment with the IT risk person. They’re not working hand and glove.
Anthony: What is the most likely scenario of disaster that could disrupt our operations so we can’t provide services? I mean, I don’t know if depending on some parts of the country, a tornado is more likely than a ransomware event. But in general, I would think a cyber event would be the number one most likely thing to cease your operations.
Phil: That’s right.
Anthony: So then for that not to report up doesn’t make sense.
Phil: That’s right, yes. I’m in Tupelo, Mississippi and I’m from West Texas. We’re Tornado Alley, but I live in Tupelo, Mississippi right now and I’m telling you, every single year, we have a tornado touchdown in our region, in our operating region. And so, they’re very, very acutely aware of the tornado threat here. But at the same time, we haven’t had a tornado take out the data center. We haven’t had the tornado really take out any of our hospitals. But on the other hand, cyber has infected us. And so, you’re absolutely right. I mean, the likelihood is so much higher for cyber and yet those operational risk people aren’t even thinking about it.
And whose fault is it? Going back to extreme ownership, that’s our fault. That’s my fault, right? That’s our CISOs responsibility for getting them to understand. Have we had that lunch with them to say, “Hey listen, I want to be your best friend. Let me show you. You think you can’t sleep at night now, guess what? Here you’re about to really sleep less, right? Let me show you some stuff.” And then show them the metrics. Show them the numbers. Because I think a lot of times too is that, they don’t look at the same periodicals, the same websites, the same Twitter feed, whatever, that we do. And so, they think, oh yes, I know there’s a cyber threat but it happens once or twice a year, somewhere in California. That type of thing.
Phil: Are they really seeing the same news that we’re seeing because we keep up with it every day.
Anthony: I don’t know if this is true but I really think that the perspective of a lot of folks maybe if systems go down is, ‘Well, let’s go to lunch and they’ll be back up.’ But it’s not, ‘let’s continue operations somehow.’
Phil: We had an outage one time at an organization I used to work at and the clinic people just shut down and went home. They canceled all their appointments and went home. And it was like, what? “Well, we got to wait on IT.” Their business continuity plan was to wait on IT. It was a one-liner.
Anthony: I really think so because I think unless you’re really plugged into the news, you think most outages are an hour or two hours. So it’s inconceivable that it would be weeks. It’s inconceivable they could really continue operations on paper.
Phil: That’s right, exactly. Yes, and I’ll tell you, I screamed and hollered when I came here about making sure that even our Microsoft 365 environment was backed-up because by the way, in case you don’t know, that’s not automatic. You’ve got to pay for that. That’s separate from Microsoft. So people just automatically assume, “Oh, I get AWS. I’ve got Azure. I’ve got whatever. It’s all good.” Just because you’re an Azure, just because you’re an AWS doesn’t mean all the security is there and it’s all backed up. You still have to do those things. When Microsoft crashes and you lose email. And what we thought? I’m not kidding. We thought, well, if your email crashes, just pick up the phone and call somebody, man, no big deal. We did not realize how much people relied on their calendar. I mean, the calendar –
Anthony: Oh, yes.
Phil: I mean, the calendar shut down everything. I mean, it’s insane the amount of stuff that’s on our calendar. If you lose all your emails, you lose your calendars, you lose all your files …
Anthony: And your contacts
Phil: Your contacts.
Anthony: With all the phone numbers.
Phil: That’s right.
Anthony: That’s where all the phone numbers live.
Phil: Everything’s gone. I’m telling you it was devastating. When you have that event, then you start realizing, okay, we’ve got a problem and we need a really look at every system that way.
Anthony: And you realize why that instinct is to say, all right, let’s just go to lunch and then hopefully, it will be up.
Phil: That’s right. And so, when you start looking at that from a business impact analysis on each application, I think a lot of times, if somebody on the team who’s doing BIAs have never been through an outage, never through an event, if nobody in that room has been there, they’re going to say the same thing I did years ago. Oh, yes email. Please, email. They can just pick up the phone and call somebody, right? You blow it off because you’ve never – we don’t understand how impactful it is. And so, those of us who’ve been in the business a long time and have experienced some of these things, we have an obligation then, a responsibility then, to try to craft that message to those clinicians, to those executives, to IT about the threat, about the experience of what would happen if this doesn’t – not just Chicken Little, the hair’s on fire, but break it down exactly what’s going to happen.
Anthony: Listen, we’re at a half hour where I wanted to keep it. I am going to just give you one more question and then I’m going to let you go. It’s been an amazing half hour that went by so fast. Rural, so there’s a lot of policy stuff going on now. I get the sense that more and more policy stuff going on. I feel like there’s a groundswell of sentiment among cyber folks that the government is going to have to do more. Especially with rural. Hey, we just don’t have the resources with the adversaries we’re dealing with. And almost like a sentiment of hey, there’s nation state actors out there coming after my health system, no matter how big it is, I’m not as big as a country with dedicated cyber criminals or however you want to put it. Do you get the feeling that there is a little bit of a groundswell of hey, you’re going to have to help us out here?
Phil: Yes, and I’m helping to push that as well because I used to be in the government. We’re the most targeted of the critical infrastructure programs, healthcare, and yet, if I get breached, guess what happens? Now the federal government – not only are we going to pay for all that crap that just got breached and I’ve got to deal with all that mess, but now I could get fined by SEC or OCR or whoever. I could have the secret service on my back. I mean, I’ve got all of these regulatory bodies coming after me as well.
When I was in the government, I did work on a subcommittee for the critical infrastructure program. And one of the things that we try to do is explain – this was 15, 20 years ago, try to explain to people who didn’t understand cyber back then. For example, if there’s kinetic warfare and a missile was coming in from China and it was going to hit San Francisco, nobody would expect that the local sheriff would be responsible for defending San Francisco from a missile attack from China. Everybody understands whose responsibility that is. It’s the federal government. And yet, in cyber, we have, like you said, nation states that are launching nation state attacks on our critical infrastructure, on a hospital, and yet I’m expected to defend myself as if I was the federal government. And yet I can’t do any offensive stuff. I just have to do defense. And to your point, some of us are very fortunate and have some resources. But a lot of rural healthcare has none. They don’t have any resources. They can barely keep the lights on. I mean, I saw today an article three or four hospitals shutting down this month. I mean, just completely closing down. They don’t have resources, period, to keep the doors open, much less spend it on cyber defense. So it is definitely something that I’m hearing across the spectrum with cybersecurity folks saying, we’ve got to have help. And I think they’re doing some to address it. CISA is an organization that’s really starting to work on some of those for resourcing but they’ve got to do more, I think.
Anthony: Yes, it’s scary. It would put you out of business, right?
Anthony: It could put you out of business. If you’re anywhere close on your margin, they’ll finish you off. It’s scary.
Phil: Yes, it is. And unfortunately, in these rural communities, when you say business, it’s not just business, it’s the patients are out. I mean, we’ve got areas in Mississippi where if a woman needs OB services, she will have to drive two or three hours because those hospitals have closed down. They don’t offer OB services in some areas. And so, we’re talking about patient safety first here.
Anthony: All right, Phil. That was wonderful. I want to thank you so much for your time today. I enjoyed it. I mean, great stuff there. Awesome, appreciate it.
Phil: Thank you, Anthony. I appreciate you having me.