As the old expression goes, time is money. For executives like Keith Duemling, Senior Director of Cybersecurity Technology Protection, Cleveland Clinic, time is also about focus. That’s why he’s laser focused while at shows like HIMSS on finding ways to better protect the clinic’s patients and their data. To that end, exhibit floor games that require him to do anything other than that are non-starters. What Duemling will be doing at the show is participating in a session on how to better protect medical devices, which he says move up the priority ranking for cyber resources due to how close they are to patient care, and, thus, patient safety. One area of the HIMSS Conference that Duemling will likely venture is walking the fringes of the exhibit floor, where smaller and newer vendors may be showcasing a hidden gem in plain sight. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Duemling discusses these issues and many others.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
Podcast: Play in new window | Download (Duration: 20:24 — 14.0MB)
Subscribe: Apple Podcasts | Spotify | Android | Pandora | iHeartRadio | Podchaser | Podcast Index | Email | TuneIn | RSS
Bold Statements
… there’s also something to be said for some of the smaller solution providers who have some really innovative and new products. They’re in the peripheral sections, and if you spend some time in those areas, you’ll really see some unique things. Again, it’s one of those situations where the risk is worth it because you find some gems that are hiding in plain sight.
… rarely is there one product that’s going to solve all the problems, so talk to me about how you can help me solve problems but also integrate with other capabilities that will help me solve problems or other functions.
… my time (at a conference) is limited … my organization and our patients really expect us, when we’re there, to be laser focused on what our mission is. Anything that really pulls me in a direction off of that is not something that I’m going to be able to get behind.
- Session Title: Lessons From the Trenches: Securing Medical and Internet of Things/Operational Technology Devices
- Day/Time/Location: Wednesday, March 13 • 2:30 PM – 3:30 PM Eastern Time; W304E
Anthony: Welcome to healthsystemCIO’s HIMSS Conference Preview Interview with Keith Duemling, Senior Director of Cybersecurity Technology Protection with the Cleveland Clinic. I’m Anthony Guerra, Founder and Editor-in-Chief. Keith, thanks for joining me.
Keith: Pleasure to be here.
Anthony: Very good. Keith, why don’t we start off, just give me the overview of your organization and your role.
Keith: As you’re probably aware, the Cleveland Clinic is a very large healthcare system throughout the United States and we also have operations in Europe and Abu Dhabi as well. My role specifically is leading the design, development and operations of a number of our cyber platforms that are necessary to protect our entire global healthcare platform throughout the world. These are definitely challenging times, as healthcare and cybersecurity are not new acquaintances for each other but the intensity has only increased in the last couple of years.
Anthony: Excellent. Thank you, Keith. I’m speaking to people who are going to be presenting at the HIMSS conference to give our readers a little idea of what’s going to be going on there. I know you’re going to be speaking. You want to tell me a little bit about your session.
Keith: Yes, absolutely. When we were thinking about the HIMSS conference and different content, we had this conversation with the Mayo Clinic about some of our shared challenges with securing medical devices, different approaches, different techniques for driving up the maturity, lessons from the trenches, what worked well, what didn’t work well and trying to figure out how we could share that with the audience and get their input.
So what we’re going to put together is a panel that’s going to really cover those things, bring out the genesis of our programs, how they evolved, where we see the future and share some of those things so that hopefully others can learn and maybe give us some tips and tricks from what they’ve seen so we can all improve together. Some people are solving it with technologies. Some people are solving with process. Then, everybody else is doing a combination of those things, somewhere in between those two ends of the spectrum.
Anthony: Right. It’s usually that. It’s usually technology, process, change management. It’s a lot of the political stuff so that’s usually what comes up. Let’s talk about the medical devices in your overall cybersecurity approach. There’s a lot of competing priorities in cybersecurity, right.
I did an interview the other day with an individual who said you have to place your resource bets where the attacks are happening. What do you think of that, and where does medical devices security fit in that type of dynamic?
Keith: I think that is a spot-on observation. The reality is there are limited resources, so you have to prioritize where you’re going to focus your attention. I think with medical devices, there is that added complexity of the fact of what they’re doing, the role that they’re playing in healthcare delivery. They’re not just being used for inputting information, making decisions. Some of these devices are actually administering the care directly to patients. So there’s another component which is the life safety aspect of these devices.
It’s not just potentially a violation of confidentiality and integrity but it’s that availability and again, the life safety aspect of that has to be factored in. You may have a system that doesn’t have a lot of data, but it has an incredible level of importance to patient safety so you have to factor that dynamic in as well. I think that’s forcing us, as an industry, to add that as a decision-making factor when we try and position these limited resources in how we tackle medical device security.
Anthony: When I think of medical devices, there’s two main concerns that come to mind. One would be that it’s an entry point into the network, but not the end goal; the other – which I think is rarer – is that manipulation of the device itself is the goal. Does that make sense?
Keith: Yes, I think it does make sense. I think we’ve not seen historically a lot of direct attacks on medical devices as the goal, but to your point, as an entry point. I do think another concept is that medical devices often exist in the environment with other devices that might be the entry point, that might be the targets. So they may be damaged as collateral damage in the incursion and that process may be disruptive to their operation.
Anthony: And from my conversations, working out the relationship between IT, IT security and biomed is critical to securing medical devices. It seems it can be arranged successfully in any number of ways, but you have to get that straightened out. Do you agree?
Keith: Yes, I would agree. The structure, to your point, can look different in different organizations, and it will for a lot of different reasons but the relationship between IT security and biomed, and the partnership, is really key to putting together an effective protection program that allows the assets to be protected but also still achieving the core reasons that they exist in the first place. Without that relationship, I think you’re going to struggle and a program is going to really have difficulties reaching advanced states of maturity because you have two forces that are moving in different directions when you really need them to be moving in sync with each other.
Anthony: Very good. Let’s talk a little bit about your goals for the show. Are you going to hit some sessions, walk the exhibit floor, have meetings? I know some people in roles like yours hide their badges when they go into the exhibit floor so they don’t get attacked (laughing).
Keith: Well, I think you – unfortunately, let go one of the secrets that I was doing – hiding my badge is definitely something I had planned on employing (laughing). I’ll have to come up with another technique. But I intend to do all of the above. I’m going to spend a good amount of time at the conference, maybe not the entirety of it. But there’s a lot of high quality educational sessions that I want to attend, some key strategic vendors who we want to talk with and help understand their solutions and how they’re changing, and a number of peers who I’m looking to catch up with as well.
Really, all of the above is what I’m going for. Of course, I plan on dodging some of the things that may not be the best use of my time and whatnot. But given what we’ve gone through as an industry with Covid, I’m glad to have these challenges compared to what we were going through. I’m glad to be able to get back in person with people and talk and sit down in a room and try and solution some of these things, and really hear about also the innovation that’s come out of Covid, that’s come out of all these challenges. I mean, it reinvigorated a lot of these conferences because we’re not just talking about what was and what is but what could be. And so, that’s what really has me excited and willing to say, ‘well there’s all those positives and there’s a couple of negatives, but the positives definitely outweigh the negatives.’
Anthony: You mentioned the meeting with strategic vendors. Are these existing vendors, potential vendors or both?
Keith: Both, I would say.
Anthony: You set those up ahead of time?
Keith: Usually, the vast majority, but there’s always some ad hoc ones if something catches your eye. There’s a number of individuals from my organization going and sometimes you get that text message, ‘hey, you’ve got to come over here and check this out. This is something we didn’t know about that might help us,’ so there’s a lot of that. That happens as well.
Anthony: Yes, there’s the interesting dynamic of when you maybe actually want to talk to someone at a booth which is like their dream. It’s everybody’s dream there that something like that would happen, but what if they have someone very junior in the booth, somebody who can’t really engage with you. Have you seen that?
Keith: I have seen that. There are other conferences where that really seems to happen. I’m not going to name names but I think that HIMSS is one where the solution providers put their best foot forward and they have people who really have the depth of understanding. Sure, there are some that maybe don’t, but then there’s also something to be said for some of the smaller vendors – oh, solution providers, sorry, I should use the right term (laughing) – who have some really innovative and new products. They’re in the peripheral sections, and if you spend some time in those areas, you’ll really see some unique things. Again, it’s one of those situations where the risk is worth it because you find some gems that are hiding in plain sight.
Anthony: What would your message be to sales folks about what they really should avoid doing? You see sometimes maybe an over-aggressiveness, just the lack of willingness to leave you alone if you don’t respond. Does that happen a lot where you almost become uncomfortable? We don’t want people to do that. So if you can put information out there that says, ‘hey, you can do this but don’t do this.’ That might be helpful.
Keith: Yes, I think a couple of things come to mind. Obviously, there’s the aggressiveness, both in person and online. When you’re chasing after someone – whether it’s in person or they’ve sent 15 messages on LinkedIn and you haven’t respond to a single one, but they’re consistently coming – there has to be some balance between trying to get the message out and knowing when you just need to step back a little bit.
Of course, I think you hit on it earlier. There’s that knowing the product and knowing the value and being able to articulate the value to someone who is seeking a solution out there and understanding that rarely is there one product that’s going to solve all the problems, so talk to me about how you can help me solve problems but also integrate with other capabilities that will help me solve problems or other functions. That, to me, is what I can build a platform and build a strategy around, as opposed to just niche solutions that, unless they’re perfect, they’re not going to help me because they don’t talk with anything else.
Anthony: Right, right. Here would be a couple of red flags that I’ve heard before. One is if you ask somebody to, ‘tell me about what you guys do,’ and it doesn’t make sense or it’s not clear. I’ve talked to people and they say, ‘yes, our problem is we do too much.’ they’ll tell you in confidence, ‘yes, I can’t even explain it or the menu is too big.’ So you have to be able to talk about what you do. It’s got to be compelling and narrow enough that it makes sense, right?
Keith: Yes, I would agree. There’s solution providers out there where you don’t understand what their strategy is. It feels like they’re just casting the largest net they can to see how many they can catch, without it really making sense. I think the best ones are where they can bring multiple products together to solve complex situations. For areas they don’t want to play, they can build an integration, and then they can approach companies like ours and say, ‘here’s how we can solve your problems, by integrating with some of your existing technology and capabilities.’
Anthony: Right, right. Do claims that they have no competitors is usually a red flag?
Keith: Usually. It either means you’re so far out on the fringe that you don’t know or you haven’t done what I would consider a strong enough market analysis to really know what your product is and what some of the competing solutions are. Yes, that’s usually a red flag. Of course, leading off with the free item that you can get if you spend 15 minutes in the booth is not something that’s of interest to me. I’m not really interested in walking away with a collection of drones or anything else like that (laughing).
Anthony: It’s usually not even a good drone.
Keith: Well, it changes throughout the year. So, yes.
Anthony: I used to find it comical – and I hope I don’t offend any sponsors that are doing this at the show – when you got some bingo card and you’d have to run around to a whole bunch of vendors to get stamped before you collected your free prize. I always thought that executives like you are more concerned about not wasting their time. And I bet you get paid enough that the prize isn’t worth your time.
Keith: Yes, it is counterproductive, so I don’t normally participate in that. I mean to your point, my time is limited but more on a serious note, my organization and our patients really expect us when we’re there to be laser focused on what our mission is. Anything that really pulls me in a direction off of that is not something that I’m going to be able to get behind. I know that’s the sentiment across all of our leadership at the Cleveland Clinic. We’re focused, whether we’re here, whether we’re at a conference, on our patients all the time.
Anthony: Do you have some kind of debriefing with collogues when you come back?
Keith: It’s a combination, and debriefing is how we approach it. We share notes on where the industry is going based on what we’ve observed. But then there’s things that clearly we have an interest in and then we’ll dig in on those and figure out what our strategy is going forward. There is no shortages of people at the clinic who are interested in learning so we bring back a lot of stuff with us to share with other people.
Anthony: There is that element between HIMSS and ViVE. You might have two times a year when a large percentage of vendors are in the same place and you walk around and see what’s up. They are fairly unique opportunities to do some window shopping, right?
Keith: Yup. I was just going to say we’re at an interesting place with the fact that healthcare has a number of emerging conferences that are growing in strength and it’s now a choice between HIMSS and ViVE and several others, including regional events. What once was a very restrictive set of choices, the menu has increased in size.
Anthony: I’m sure you get invited to all kinds of things. Besides these shows, you get invited to regional conferences and dinners and tons of stuff. But again, it comes down to your time, right?
Keith: Yup.
Anthony: It’s a lot. I mean there’s no shortage of invitations, right.
Keith: That is an understatement.
Anthony: That’s when you get those 15 pings on LinkedIn.
Keith: Yup.
Anthony: Right. Stay friendly. They have to stay friendly. Now, nobody is saying you should do 15 pings but if you’re going to do 15 pings, stay friendly because we see some of them, they get a little angry.
Keith: Yes, they get a little aggressive, try put some shaming in there. But then you scroll up and see HIPAA is misspelled or ‘hello XXX,’ showing you there’s been a mail merge that clearly didn’t go right.
Anthony: Or there’s an email with formatting or font differences.
Keith: Right. That’s another red flag.
Anthony: Absolutely. Stay friendly, right, folks. If you’re going to be persistent, stay friendly and don’t be too aggressive. Put a little time in between those pings.
Keith: Stay authentic as well.
Anthony: Stay authentic. Very good. Keith, thank you so much for your time today. Really appreciate it.
Keith: Yup, absolutely. Thank you for your time.
Share Your Thoughts
You must be logged in to post a comment.