Published December 2022 –
“Protecting workstations in their traditional form is not a technique that scales any longer,” says Keith Duemling, director of cybersecurity technology protection at the Cleveland Clinic. In this interview with healthsystemCIO Founder and Editor-in-Chief Anthony Guerra, Duemling talks about how he and his team of cybersecurity engineers have no small task tackling “the sheer magnitude and scale of security” at the clinic, which involves literally thousands of vendors. Third-party risk is a key trend to watch, but so is the increase in patient-owned devices being used for diagnostic purposes, Duemling says. “It’s really challenging because obviously you can’t deploy traditional tools onto someone’s privately owned device, but you are, to some degree, still responsible for the protection of their information, and certainly their protection when it comes to the care that they receive.” Ultimately, it requires building strong relationships in the enterprise and getting out in front of demand when it comes to IT.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
“I think that that underscores the importance of maintaining a strong relationship with different areas of the organization, not just being there when they come to you with an ask, but really getting out in front of the demand and the need for IT services and cyber services and building those relationships.”
“ … that’s caused us to elevate the conversation of losing IT systems, less as an inconvenience and more towards the position of losing a piece of critical infrastructure within the hospital system.”
“I could see future legislation actually coming out that mandates that medical device, medical software vendors pursue one of a short list of frameworks so that it helps, at an industry level, to obtain that increased level of comfort.”
Guerra: Thanks for joining me.
Duemling: Absolutely. Thanks. Glad to be here.
Guerra: All right, Keith, do you want to start off by telling me a little bit about your organization and your role?
Duemling: Sure. I appreciate the time, Anthony. So I’m director of technology protection here at the Cleveland Clinic. Overall, I’m responsible for several teams of engineers who support a number of cybersecurity platforms that are used throughout our enterprise to protect our clinical business and research operations throughout North America and Europe. I’ve been with the Cleveland Clinic for going on five years, and prior to that I had about 13 years in healthcare at another organization in Northeast Ohio.
Guerra: Excellent. Tell us a little bit more about your career journey. I like to find out how people wound up in healthcare and IT security. It’s a pretty specific little niche to wind up in. So just take us through your career and how you wound up where you are.
Duemling: Sure, that’s a great question. Like most individuals, when I embarked on this journey, my intention wasn’t cybersecurity, to be honest, and it actually wasn’t even IT. After my time in the service with the US Army as a quartermaster, I started out studying to be a pharmacist and ultimately found my interest took me into technology.
And then from there, I dabbled with technology, and then made it my profession, and then made the switch to cybersecurity, probably I want to say going on almost 20 years ago, before it was actually considered cybersecurity, it was more computer security at that point. And then I was lucky enough to get brought on board with a regional hospital system, where I had different roles.
And then about four and a half years ago, I had the privilege to come over here to the Cleveland Clinic. So I got a lot of background from an engineering standpoint, system admin architecture, some programming and a number of other things that have brought me to this point in my career, from a cybersecurity standpoint. A lot of different experiences and a lot of different teams that I’ve been part of. And it’s really been quite a complex journey. Part of being in the military is working on high performing teams and solving complex problems as a group. And that’s what is required in IT and it certainly is required in cybersecurity, especially in the healthcare environment.
Guerra: Very good. So you mentioned you were at some point interested in becoming a pharmacist, how far did you go down that road in terms of training?
Duemling: Towards the end of the first year, I reflected back and realized that it probably wasn’t going to be the calling for me. My interest was in the science, but not necessarily in all of the other aspects that it takes to be a successful pharmacist. And that’s when I was exploring some other opportunities and got into web design and web programming. And that was the start of the journey. And from there it was off to the races, to be honest.
Guerra: What would you say it is about cybersecurity that pulled you in that direction, as opposed to taking you in more of a CIO route?
Duemling: I think for me, from a cybersecurity standpoint, the ability to really focus on a pretty significant need that also has a lot of complexity to it and is constantly changing, as well. If you think about cybersecurity, it’s a constantly evolving threat landscape, where the techniques and the methods of five years ago are generally not what we see right now – what threat actors are using. And I have to imagine that five years from now we’re going to see different types of techniques employed that we can only think of at this point, not as a reality, but just theoretical attacks. So it’s constantly evolving. And I like that rate of change that keeps you constantly learning. You’re effectively a lifelong learner if you want to be successful in cybersecurity.
Guerra: You better be, right? What would you say are one or two of the most important trends that you are trying to position your organization to handle?
Duemling: That’s a good question. Because there are a lot of different trends out there. Really, third-party risk is one of the biggest trends that organizations of all different types are challenged with. Because with globalization and outsourcing and other activities, there are so many secondary and tertiary organizations that are participating in the care delivery process. So the responsibilities don’t just stop at the traditional walls of the organization, they continue out to the partners.
And then I think another thing that’s really top of mind is the evolving definition of what a device is and what a caregiver could be using. If you think back 10 years ago, cell phones and tablets didn’t have the role that they have now in the clinical process. So just protecting workstations in their traditional form is not a technique that scales any longer. We have to protect a number of different devices that support a number of different use cases, and then realize that that’s going to continue to change as technology evolves, like virtual reality, sending clinical devices into people’s homes, the fact that patients can bring their own technology that they use for diagnostics and recording results back into the clinical environment in some way. What we have to protect is constantly changing. And I think that’s an important trend that we have to keep thinking about.
Guerra: When you talk about devices there, you’re not even talking about the biomedical devices that the hospital owns, which is its own huge challenge and problem, right? Are we thinking about devices in two different ways: the ones that people are going home with, they’re bringing in their own devices, the phones and all that? And then, we have the infusion pumps and all that, which is a whole other ball of wax, correct?
Duemling: Yes, we have traditional devices, which are owned by the organization, third-party devices, and then the rise of patient-owned devices that are in the mix as well that need protection in some form or fashion. And that’s where it’s really challenging, because obviously, you can’t deploy traditional tools onto someone’s privately owned device, but you are, to some degree, still responsible for the protection of their information, and certainly their protection when it comes to the care that they receive.
Guerra: As these things move so quickly on the clinical side, do you ever get to a situation where you say, “they’re doing what?”
Duemling: It does happen, it does happen. I think that that underscores the importance of maintaining a strong relationship with different areas of the organization, not just being there when they come to you with an ask, but really getting out in front of the demand and the need for IT services and cyber services and building those relationships. So that, you know, by the time the ask is made, we hopefully will have already been involved in the process long before it ever got to that point. Bringing cyber out of the back room, if you will, and to the customer is an essential part of being successful in today’s day and age, in my opinion.
Guerra: So you want to build the relationships and make everyone comfortable with coming to cybersecurity, to run things by you to get things clear and all that. So that takes good relationships. They have to understand why it’s important that they come to you. And then you also have to have it baked in structurally, so they have to come to you when it hits purchasing or things like that. So would you say it’s a combination of all those things that get you in a good place from a process point of view?
Duemling: I think you’ve summarized it very well. That is probably the closest to an ideal state. Right now, we have to embed cyber into the different phases of inception when technology or solutions are brought into the organization. It really is about trying to be a partner at the different stages, so that we can advocate for the needs, from a cyber standpoint, early on in the process and be part of solving the needs and solving the challenges as opposed to saying, “No, we can’t do this,” after it’s been thought about for potentially months or even years, because at that point, it’s too late. And then we’re definitely a business inhibitor at that point.
Guerra: Right. And when you do find out something is on the network after the fact, I’ve talked to other CISOs, and they still take a very forgiving approach. They don’t want to be an impediment to business. So it’s, “Okay, we’ll look at it. This isn’t how it was supposed to go, but it’s on now.” And they won’t pull it off unless they absolutely have to. But I guess you want to then go back and say, “Well, what was the process breakdown that made it not come through us correctly in the proper way?”
Duemling: I agree completely. I mean, it’s like being embedded in the earlier stages of the supply chain process, the earlier we can get into that, and hopefully, the processes are well established, the greater chance we have of being involved with something before it just appears on the network, and then we’re forced to react to its presence.
Guerra: Right, right. Let’s talk a little bit about business continuity planning, disaster recovery. I find one of the most interesting areas that I think people need to work on is that potential transition to paper, and back again, and what that would look like, you know, table topping it and all that. And my biggest question is always who’s making sure that clinicians know what to do? If the call comes from IT security that says we have to take you offline in an hour or shorter period of time, who’s managing that process to make sure they know what to do at that point? And then the whole process of coming back from paper probably should be tabletopped, too. But what are your thoughts around that?
Duemling: Yes, I think that’s definitely a challenge. The thought of going to paper for an extended period of time, I think definitely produces a lot of thoughts about the risk associated with that, both to the business from a revenue standpoint, but more importantly, from a patient safety standpoint. So, I think that’s caused us to elevate the conversation of losing IT systems, less as an inconvenience and more towards the position of losing a piece of critical infrastructure within the hospital system. And so approaching it less as just the responsibility of IT, but more of an organizational responsibility to be ready for that is how we see that process maturing for those organizations that are really thinking about how we respond and stay at the same level of service and patient safety, if and when something should happen. And it requires additional testing well beyond tabletop exercises to make sure that if it happens, you’re ready for it to happen.
Guerra: Right. And you mentioned third parties, and I suppose most businesses, and especially health systems, are very dependent on the vendors that they use to run their software. So, people are working on more stringent processes for bringing them on. But I’ve heard one of the biggest challenges is the existing vendors. Yes, we can produce a new process for bringing you on. But we’ve got 100, 200, 300, 400 vendors, who all now should be held to a higher standard, because we have a new standard. So how do we go back? What’s the process for going back and working through everybody? And then it’s not just one and done? Right? Are we going to review them annually? Are we going to review them every time they’ve had some material change – they acquired somebody, somebody acquired them? So it’s a massive, massive issue. So what are your thoughts about managing that?
Duemling: Well, I think if we only had a couple of hundred vendors to manage, I would really be looking forward to that day (laughing). At the clinic, we have thousands of vendors of different types that provide different services. The challenge, as you outlined, is just the sheer magnitude and scale. Also the differing maturity of some of these vendors, some of them are very small, half a dozen to a dozen individuals. And then you have the large service providers that have tens of thousands or hundreds of thousands of employees and then everything in between. So managing that at a program level and going through a recertification and questionnaire process. All of that is very cumbersome, especially if you’re trying to do it through a manual mechanism and having people moving Excel spreadsheets and looking at that.
So I think it requires a combination of techniques. One: using automated and centrally managed portals and tools to really serve as a force multiplier so that you can contact those hundreds or thousands of vendors simultaneously. It requires integrating into the incident response processes within an organization, so if you learn that a vendor has an issue you can respond quickly and consistently.
And then I think looking across the entire market, that’s where we will continue to see the rise of cybersecurity frameworks specific to healthcare. If an organization can demonstrate that they are HITRUST, ISO, NIST-certified, it helps us understand the maturity of what’s on their side, and not make it a unique process for every vendor. So it’s really a combination of things to put together a functional third-party risk program at scale.
Guerra: So great points, we’re still talking about questionnaires and things like that with these third party vendors. It’s tough enough to manage if you were able to say with 100% confidence that everything that’s ever been submitted to us in a questionnaire is true. And still a tough process. But these are companies that want to attain the business and may be perhaps tempted to attest to certain things that are not accurate. I mean, do you think of saying, “All right, we can do questionnaires for most of them. But for the top 100, we need to go beyond the questionnaire because they’re so critical to the function of the organization, we need to do more.” What are your thoughts?
Duemling: I think that’s a spot on observation. I mean, it goes back to the old adage of trust but verify. And there’s a couple of different ways to approach that so you know what someone said and attested to was accurate at the time and remains accurate. And I think it’s a combination of follow-up questionnaires, follow-up assessments, using those frameworks, but then also using third parties as well that will analyze the reputation of the vendors and provide you a scorecard, if you will, of that vendor, so that you can use that as a third party itself to assess the third parties to balance out what was said versus what was observed. So if you were seeing a well-formed attestation, but then on the scorecard they are a D, you suspect that there might be some misalignment and then you can prioritize for further investigation at that point.
Guerra: Right. It’s interesting. It’s not the same as the dynamic you have with cyber insurance. I read an article this week, where a cyber insurance company was refusing to pay out on a claim. I think it was around MFA. The health system had said we use MFA. And turns out after there was an incident and they tried to get the claim paid the insurance, said, “Well, it turns out you weren’t using MFA, we’re not paying,” it doesn’t quite work that way with the questionnaires that health systems are giving their third parties. It’s a different dynamic, but I guess let’s put a question around cyber insurance. Just your general thoughts on trends there. We know the costs are up that you have to pay, deductibles are higher, the costs are higher, you have to jump through more hoops. What are your thoughts around the state of cyber insurance?
Duemling: I think that cyber insurance is going to continue to evolve when it comes to the value that it provides to organizations. I understand that the underwriters and the insurance carriers are challenged because cyber threats aren’t decreasing. They’re only increasing. And, at some point, we’ll see the exit of some insurance companies from that market because their risk when it comes to a payout level is just too high. And we’ll also continue to probably see the rates and the costs go up that are given to those who are pursuing cybersecurity insurance. So I think it’s going to be something that we will see the adoption go through different waves, if you will, where it may be too costly for some of the systems that are smaller, and more budget constrained to pick up.
And then as demand drops, theoretically, the cost may come down. It’s probably going to take five to 10 years to really see where cyber insurance fits in the cybersecurity ecosystem, especially as we’re driven more – as we always have been – to prevent, as opposed to cover ourselves for a potential exposure.
So it’s a slippery slope and a difficult question. And unfortunately, I don’t think I have a good answer for that, because I unfortunately don’t have a crystal ball when it comes to that. I think that organizations will have to make a decision on an organization-by-organization basis if they want to pursue it based on the cost versus benefit and the likelihood of an event and the actual likelihood of a payout from the insurance provider.
Guerra: Right. And we hear about some health systems self insuring and things like that. If the costs are too exorbitant, it doesn’t make financial sense, and this money is better spent in other ways to reduce our risk, then we’re going to spend it in other ways. That makes sense. You mentioned HITRUST, ISO, NIST as stamps that can help make it more comfortable with the vendor. Could you ever see a scenario – I don’t know if you’re there yet – where that’s a requirement to be used at the Cleveland Clinic, for example, that you need some stamp to be one of our vendors? Or are we still in a situation where sometimes there are those niche applications that the physicians say, “This is the only game in town, this is what we want.” And then, “Keith, figure out how to secure this thing.” And then you go, “Oh, this thing’s a mess, but I’ll see what I can do.”
Duemling: Yes, I mean, I think that that is still the case. We have providers that are niche in nature, and they’re the only ones that are able to provide some functionality that’s been determined critical from a clinical standpoint. We will continue as an industry – I think not just the Cleveland Clinic – to push vendors of various sizes to adopt a framework or some type of framework, maybe not the same one, as a means to simplify the process. I could see future legislation actually coming out that mandates that medical device, medical software vendors pursue one of a short list of frameworks so that it helps, at an industry level, to obtain that increased level of comfort.
I think that on the private side, we’re in a difficult position to push that type of mandate forward without a large coalition across all the different hospital systems. And that’s something that’s potentially taken up better at the federal legislative level, in my opinion, to be perfectly honest.
Guerra: And I’m sure you have those conversations with key stakeholders, physicians, regarding the security status, I mean, of an application they want to use? And how do you handle that? Do you take them through what you’re looking for? And perhaps why there might be a gap in the product that they want rolled out? And do you just have that conversation?
Duemling: Yes, we have that conversation regularly. And I’m happy to say that our physicians are very in tune to the challenges from a cybersecurity standpoint, to varying degrees, but almost every time, the vast majority of times we encounter physicians, they are very supportive of doing what is best from a cyber standpoint. They’re always supportive about doing what’s best from a patient safety standpoint. I think that’s one of the things that makes the Cleveland Clinic one of the leaders in healthcare that it is, because of that commitment to patient safety.
So we do have different conversations, we definitely have a proactive process, we’re educating our clinical staff on the needs from a cyber standpoint, and they certainly educate us on the needs from a patient care standpoint. And then we can reach that middle ground and shared understanding so we can have a collaborative conversation with the vendor. So we’ve not received very much resistance at all when it comes to infusing the concept of patient safety with cyber safety as well. And it’s helped us immensely to drive the program forward to the state that it is now.
Guerra: What’s your advice on having the conversation with a vendor, where you have to say, “Hey, there’s interest here for your product. But here’s what we need to happen from a cyber point of view to make us comfortable on this side.” Is that how it goes? And how do you manage that, because again, you’re in an interesting spot, you’ve got users that you need to satisfy that would like this application rolled out. You’ve got a vendor here with the objective to get this product where it needs to be so it can be used by your organization. So I would imagine you have varying degrees in terms of the reception you get from that vendor, and their willingness or ability to do what you need done with the product. So tell me how you manage that conversation.
Duemling: I think you brought up a great point, which is really how we have most of the conversations. We talk with the vendors about what we have to do, and what can be demonstrated to show that the product is operating at a high security rate or a highly secure level, so that we can bring it into the organization to meet the patient care needs. And we also try to position that as something that if we observe something or provide feedback, and it can be integrated into the product or their service offering, it actually strengthens their product, and makes it easier for them to go to market and get adoption in other hospital systems and in other applications.
So we really try and pivot the conversation away from negative things that have been identified and, “You have to remedy these things before they can be brought into the organization,” to, “We’re providing you actually with a beneficial service by giving you feedback that you can then take to make your product better. And then cyber can be one of the many talking points and strengths to your product that will help you to get it into other hospital systems.”
Guerra: I spoke to one CISO who said she felt like she wound up being CISO for all these little vendors.
Duemling: It does happen that way sometimes.
Guerra: Very good. All right. You’re working on your MBA. So tell me why you wanted to go get that and how you think it will help you in your work.
Duemling: I think I mentioned that my background is very technical in nature. And I think that IT and cyber individuals, that is one of their strengths, but that can also be one of their greatest weaknesses is that we have a difficult time sometimes really interfacing with the business and understanding the business operations, the business priorities, and the things that really move the organization in the direction that it goes. So, when I was looking at my long term growth, I saw that as a limitation and wanted to really be able to think less as an IT cyber professional and more as a healthcare administrator. And that’s what brought me to the point where a healthcare-focused MBA was on my radar, as opposed to the next cybersecurity certification or a PhD in cybersecurity.
And I think that’s a challenge a lot of IT executives in healthcare are facing themselves. How do I continue to evolve, so that I can interface and when I get that seat at the table, keep that seat at the table through relevant feedback and input that is less about the IT and more about the business enablement. So that was my goal behind pursuing that. And I’m happy to say that I’m almost done with the program. So I’m looking forward to it.
Guerra: Was it tough? Was it a lot of work, especially with your day job?
Duemling: There have certainly been some long nights. My family was very supportive, putting up with it, and helping me through, but you know, it’s a testament to the program that’s at Penn State. It’s not an easy program, but it definitely helps move you in the right direction.
Guerra: Well, let’s talk a little bit about burnout, something we hear about a lot with clinicians. But I suspect it’s also a huge problem, especially with cybersecurity folks, because it can be a 24-hour, seven day a week job if you let it – because things happen all hours of the night. So your thoughts on that? Do you see that as a critical issue among healthcare IT security folks? And do you have any advice for how you manage it? And then my second question would be what do you do to relax and what are your hobbies? Besides getting MBAs? (laughing)
Duemling: I definitely think it’s a real challenge. I mean, you’re facing labor shortages in the global economy as a whole. And then if you look in healthcare, there’s a significant shortage and that extends into cyber. I think recent statistics show that cyber was down nationwide, somewhere between 500,000 and 750,000 jobs. And that’s probably only getting more significant as burnout does continue, especially in these challenging economic times.
I think that, as leaders, we need to really take a hard look at how we manage our teams and make sure that work/life balance is something that’s not sacrificed whenever possible, and that we are cognizant of the needs of the people who are under our responsibility. And make sure that they get the type of support that they need, that encouragement to take meaningful PTO and not be checking your email while you’re on PTO, advocating for appropriate staff and seeing if there’s other opportunities to either automate to reduce the level of efforts or other things that can be done to reduce that burden that’s put on people.
I make some goals, specifically, for myself about time spent away from work, using PTO and spending time with family and trying to develop those who report to me and who I’m peers with, so that they can provide appropriate coverage, so that I can step away from the organization and have meaningful time. So, you know, it’s really something that you have to invest a lot of effort into, surprisingly enough, to be able to have that boundary. So it’s not going to just come about because you close the laptop at 5 PM, that the stresses are gone with that. So you really have to be intentional about how you position yourself and the organization and everybody within the organization to support appropriate levels of stress management and workload.
Your second question – aside from trying to get multiple MBAs (laughing) – I have a very loving family, and I enjoy spending time with all my kids, my wife and I love to travel. So now with COVID passing, we’re looking forward to getting out there, exploring more of the world. And then like most IT people, sci fi and things like that are of interest to me. So if my family can’t find me, I’ve probably disappeared somewhere to watch a sci fi movie or read a sci fi book. And they eventually find me and drag me back to reality, and have me doing something, but I take those opportunities to relax when I can.
Guerra: Absolutely love it. All right, final question. Any final piece of advice to someone in a comparable position at a comparable-sized health system? What would your best piece of piece of advice be to them?
Duemling: I think that from a development standpoint, you have to remember that growth comes in two forms, typically, evolutionary and revolutionary. And you have to be willing to take advantage of the slow growth opportunities within your organization, and those moments where an opportunity is thrust upon you, maybe not in the best of circumstances, to radically grow your career, radically learn something new. And then, take those two types of opportunities when they come and then try and make sure to have fun with it. Life is too short to have just a job. This is a career, a profession, for so many people. And there are many ways to enjoy what we do, especially in healthcare, because of the value that we provide to so many people in need.
Guerra: Yes, just to revisit your other point about developing people. I mean, you solve so many problems when you do that, right? It’s what you’re supposed to be doing – mentoring and developing them and all that. And then if you’re doing it properly, it allows you, as you said, to step away, if you’re not micromanaging. Anyway, so it solves a lot of problems, right?
Duemling: Yes, it does indeed.
Guerra: Keith, thank you so much for your time today. Wonderful discussion. I really appreciate it.
Duemling: Absolutely. Thank you.