The security posture of healthcare is the foundation for trust that we have to build our digital experience. Ed Marx and Vugar Zeynalov of the Cleveland Clinic share their approach to getting the foundation right.
The security posture of healthcare is the foundation for trust that we have to build our digital experience. Ed Marx and Vugar Zeynalov of the Cleveland Clinic share their approach to getting the foundation right.
Bill Russell: 00:00 Welcome to This Week in Health IT influence where we discuss the influence of technology on health with the people who are making it happen. My name is bill Russell healthcare CIO coach and creator of This Week in health it. A set of podcasts and videos dedicated to developing the next generation of health leaders. Today we have a great show around cybersecurity with leaders from the Cleveland clinic, which we’re going to get to in just a second. I want you to know that I’m out there looking for sponsors right now and I’m pursuing sponsors that I believe in so that I can speak about them with confidence and I can recommend them to you strongly. And uh, today I’m excited to announce a new sponsor in health catalyst, um, in the digital age cloud computing and is an essential part of more effective healthcare and precision medicine. But healthcare organizations themselves are still facing challenges in migrating to the cloud.
Bill Russell: 00:52 Currently only 8% of EHR data needed for precision medicine and population health is being effectively captured and used 8%. That’s amazing. Learn how health catalyst data platform brings healthcare organizations the benefits of more flexible computing infrastructure in the cloud. Visit this week, health.com/health catalyst to download a free ebook on how to accelerate your use of data and the delivery of healthcare and precision medicine. Welcome health catalyst to the uh, family of sponsors who are dedicated to developing the next generation of health leaders. Here’s our schedule for the next couple of weeks. Uh, the Friday shows will not stop. They’re recorded. They will continue through the holidays and into the new year and uh, we have a lot of great interviews lined up for you. Uh, plus we have two end of the year episodes, year and review and the top 10 podcasts of the year in view is just me looking at the various episodes and pulling out some of my favorite clips from that.
Bill Russell: 01:48 And sharing that with you. The, uh, the top 10 episode is just what it sounds like. There are top 10 episodes for this year in terms of number of listens. I’m going to pull out a clip from each one and we’re going to do a count down so you’ll know which is the most listened to podcast of the year. And I’m looking forward to doing that now to our show. So, uh, today I’m excited to be joined by Ed Marx, CIO of Cleveland, Cleveland clinic Vugar Zeynalov. I’m not going to say your last name. We’re just gonna assume like your share or Madonna, uh, chief information security officer for the Cleveland clinic as well. Good morning gentlemen. Welcome to the show. Hey, good morning. Thanks for having us. So, so, um, ed, you know, one of the things I appreciate about having you on the show is, uh, we ended up talking a lot about life and for, for our audience, we’re going to, we’re going to jump into the, you know, architecture, innovation and other things. But before we do that, I’d love to hear how the, the, uh, recovery from the, uh, cancer diagnosis is going for you.
Ed Marx: 02:48 Oh, it’s, it’s awesome. I am a fully recovered. So I was very, I consider myself very fortunate that I only had cancer for 45 days between time of discovery and time
Ed Marx: 03:00 of a lab results proving that the cancer was gone. So I’m very thankful in terms of, uh, the physical recovery. I’m back racing again. So in the last a few weeks I’ve raced multiple 10 Ks, which is a good barometer for my overall speed as a du athlete. And, uh, I podium finished an Olam and the last two took first place. So I’m very happy with the recovery so far. So
Bill Russell: 03:27 that’s, that’s, that’s fantastic. And you, you still have like a minute to drop off your time if I’m following your social media correctly.
Ed Marx: 03:33 Yeah, that’s right. So normally I’m about a six and a half minute miler to be competitive and I’ve gotten down to seven and a half over a 10 K I can go a lot faster obviously on the shorter run, but for 10 K that’s, that’s where I am today and I need to get to six and a half by end of the year. So I’m on track to do it,
Bill Russell: 03:51 man. That’s fantastic. So has, has your time as a patient influenced your thinking as a CIO at all?
Ed Marx: 03:56 Yeah, certainly. It reinforced many aspects. You know, where we are all big believers in digital transformation, digital technology. It’s really these technologies that not only helped save my life, but enabled me to return to the quality of life very quickly. I can’t imagine not having it. That’s why I believe we have a moral and ethical responsibility to ensure that all that we do as it professionals, security, as vendors, everything. Um, we have this responsibility to ensure that this same capabilities available to everyone across the world. And it is, I mean, you can, we have the tools today, so it’s really important that we all be, are passionate about this and get, get this job going first in our organizations and in our communities and beyond.
Bill Russell: 04:42 Yeah, that’s fantastic. Uh, Vugar. You’re going to be probably new to our audience. So can you give us a little bit of your, your background and what you’re doing at the, uh, at the clinic?
Vugar Zeynalov: 04:53 Sure. Well, so I’ve been in cyber with 27 years now. Probably as long as the industry existed, work with the U S government that need to Europe, um, financial institutions, Canada they need and the U S helped them to stand up their security programs. For the past 12 years I was in healthcare, uh, with payers, um, medical device manufacturing. And now providers are the next frontier. And if you think of my career, it evolved almost like cyber evolved from government to finance to payers, uh, pharma and now providers.
Bill Russell: 05:28 Wow. Well that’s exciting. So today we’re gonna, you know, we’re gonna dive into cybersecurity and other things, but I think how I’m going to do it is we’re going gonna really look at four, four topics, strategy, architecture, operations and innovation. And I think you guys have done a ton of work over the last two years in each one of those areas. And so let me just start by, if you were going to put those in order, you’re coming into a new organization. So strategy, architecture, operations, innovation, what, what order would you address them as you come into an organization? Either either one of you guys
Ed Marx: 05:59 and all that. This is perfect for Vugar because he came into the organization with this fantastic background and there was really no security organization when he stepped in. So he is best to speak to this because he actually came in and had to go through that thought process that you just talked about and that ordering. So Vugar, why don’t you share a little bit about that journey?
Vugar Zeynalov: 06:23 You know, about all these fantastic organizations. I had the privilege to serve. Um, I have to say that this is probably the most challenging role I had and here’s why. Uh, all these great institutions, they had all the important things in the world. They had their finances, they had their pride, their, their brand reputation, uh, intellectual property. And Cleveland clinic has all that too when you look at the cyber, uh, landscape. But on top of that, we also have patient safety with hundreds of thousands of medical devices, patient privacy. People come here at the most vulnerable time of their lives and on top of everything else, if something happens to their data, it’s a devastating experience. And then things like virus outbreak in all the other industries means you can process transactions, you can process claims, which is really, really bad for us. It means babies in NICU, people in coma and loved ones storming the hospitals, trying to find out what’s going on and if the network is down on the phone systems is down.
Vugar Zeynalov: 07:30 So the impact is amplified by the nature of what the institution does on that. On the other side, um, admittedly, provider industry is behind, uh, government and on payers and finance. And that creates, it’s almost like economy of crime if you have a high value assets. And right now healthcare information is probably the most valuable in the black market. Yup. And then your defenses are, uh, not up on par that that’s the economy of crime. That’s why you see this proliferation of healthcare breaches. So speaking of what’s, what’s, what’s, uh, what are they, what to start? Um, when I came in prepared, my a hundred day plan. Was planning to do what, what I was trained over the years comm do strategic strategy development, current state, future, state. What would I learn really quickly is that our first, because we are behind and if we do everything the way we’ve done before, we’ll never catch up by definition second.
Vugar Zeynalov: 08:36 It’s almost like a lot of my common practices that I learned over the years were challenged in lieu of common sense. For instance. Um, there was no reason to learn something we already knew. Like we had some cyber hygiene issues that we have to focus on. The very first thing we did is focused on stopping the bleeding, addressing some, uh, Pat, easy, easy to tackle issues. And then the way we communicate that to the organization just to get the message across. We focused on diagnosis, right, can understand what or strengths and weaknesses are and put together a treatment plan which define our path forward.
Bill Russell: 09:13 You know, that was my experience coming in as a CIO. Um, I was named an interim CIO and then the following week we had a breach. And so, I mean, it, it, it’s, you know, it gives you the sort of the, the, the thing where you’re sitting there going, okay, we’re going to put together a good strategy and then we’re going to put together governance and then we’re going to put together education and training and all these other things. But at the end of the day, as Mike Tyson says, you know, you can have your plan until you get punched in the nose. And we got punched him in those seven days after I took in, I took over as interim and you realize that, you know, we, we are going to do the strategy, but we’ve got to, we’ve got to make sure our systems and our processes and our, uh, processes and our architecture, we have to make sure all those things are sound today. So there is almost a, you know, start bailing the water out of the, out of the boat, also patch the boat and do all those things at the same time. What, so what have you found to be the most effective process for setting strategy? The cybersecurity strategy for us. A system of of this magnitude?
Vugar Zeynalov: 10:17 Well, the very first thing we did and we had similar experience, the work you’re describing is I took my entire team to the, through the what we call journey or the patient. We visited every single facility and we went from admission to discharge with my team. Wow. At the same time I went and met with all the key leaders within the organization with a very humble message. This is a very humbling place. We get to work with the best of the best of their field too. My message was helped me, help me understand because if, if, if we understand this is a good field, we can focus on the areas that are most important to you. Second, if we understand and and heaven forbid something happens, then we can make better decisions for the organization. It’s like if, if they know their patient, they can rush them to the operating room versus doing all the diagnosis and finally I asked for forgiveness.
Vugar Zeynalov: 11:15 I told them if there is one thing we guarantee is that things are not going to be smooth. And when, when he, when they do, when things happen, we want to have a relationship in place so they can pick up the phone and call. Um, cause this is, this is new to the organization. And then looking at the size and complexity of this, uh, organization and what we do is, uh, rolling out a cyber program here was, was, was quite a challenge. So we started with understanding and through that experience, actually I got the best wisdom you can think of. They were very open, very, uh, forthcoming with some thoughts of what’s the best way to communicate a cyber to physicians because you think about it, they have the lives of people in their hands. And here I am talking about bits and bytes to how do you bring the world a bits and bytes to the world of saving lives and some of these experiences yet describing that that helped us quite a bit because those two live through those two, those two worlds are coming together. So the way we constructed the strategy. Yeah, we follow the standard strategic development process, current state assessment, future state targets, a gap analysis, all that. But the key was the way to convey to the organization using uh, using the language that our physicians are familiar with and they can understand and appreciate and connect with.
Bill Russell: 12:45 yeah. So, so Ed, all this work is going on. I assume you have so many tasks that you’re, you’re trusting a Vugar to really run this thing, but how, how do you support him in this? How do you come alongside of him as the, as the CIO?
Ed Marx: 13:00 Well, we are in lockstep together on everything. In fact, we report up together to the board of directors. So our audit committee specifically on all things cybersecurity, and it’s so that they understand that this is our top priority is to ensure the safety of all of our information data for the reasons that we’ve already mentioned. So that’s one way is to be very visible with them whenever we have to do anything. That causes a lot of organizational change. And you imagine with going from a no cyber program to a very robust cyber program, there’s significant change and change management required. So Vugar and I always typically present together. So again, it’s showing that in person support, I have Vugar provide routine updates to our executive team because rather than have me talk about it, I want them to hear directly from Vugar and know who he is. And like you said, when he first arrived, he did an excellent job of developing relationships and communicating. So we want to have that relationship continue. So it’s constantly promoting what he’s doing, giving him visibility, showing my direct support. And then maybe the final thing is really ensuring appropriate funding. So like everywhere else we deal with budget, you know, stuff and prioritization and it’s really critical that cyber received the funding that it requires. And so it’s really making sure that we get everything that he needs for the cyber program to be successful. So those are probably the three big areas that I show support.
Bill Russell: 14:37 Yeah, that makes sense. So Vugar, are they now? How important is system and data architecture in maintaining a strong security posture?
Vugar Zeynalov: 14:47 You know Bill, if there are two things that significantly impact the cost of cyber defenses. It would be lack of standardization because even we have standard systems, we can put all the security protections and roll with that. And the second is lack of data governance. I mean people compare data to crown jewels. Imagine the queen of England walking around in front of her jewels on every bed and expecting a secret service to protect it. They who would know where the data is, what are they just like? She stores all of her crown jewels in this locked room with laser beams. We can do the same thing. We know how to protect data. The challenges, especially in academic research center data is everywhere. It’s on the move. So those are the two biggest challenges we have. And strategy and architecture are there. You think about it’s a quality discipline, just like a cyber. So having structured architect architectural process that defines where we want to be as an organization. Having structured, structured engineering process that helps us to build systems and build, uh, capabilities that are, um, have all the controls and all the protections and everything else in place. And then, uh, discipline operation, they’re all contributing to one goal, quality, quality of the systems. And cyber is helping to enhance that quality because if it’s not there that cost the pro quality tips into operation and causes outages, causes, uh, breaches, causes, uh, all these quality issues that lives there.
Bill Russell: 16:19 So how does security get integrated into governance? So one of the problems I’ve found and you, you touched on it was, was lack of standards. So we had a 800 some odd applications at our health system and, uh, and new ones coming in like that it didn’t even know about that were just sort of popping in. And so one of the first things we had to do was, was get in front of governance and uh, and, but then we had to insert a whole new set of secure security framework within government governance in order to make sure that these things, um, we’re, we’re not going to expose the organization or the data in any way. And so beyond the, the normal checklist, which is now sort of become a, uh, almost comical, you know, Hey, let’s make sure this application is secure. And then you get this 14 page document and you check all the boxes and then somebody goes, yeah, it’s secure. Hey, we’re good to go. Um, you know, how are we integrating security into the governance process? Want to speak about the governance process before
Vugar Zeynalov: 17:23 I mentioned about how we plug in security into it?
Ed Marx: 17:25 Yeah. So as I mentioned, like from the very top, this is
Ed Marx: 17:31 endorsed by our CEO, the whole, our cyber program and how important it is and critical it is. And that really sets the tone, I think, for all of governance. And then getting down to the specifics that you know, operationally that Vugar will speak about. And then it reports down through the board and we provide these routine updates. And then it just becomes w when it comes to the it level, we sort of split the responsibility between it. So myself, as well as our chief compliance officer who oversee, has compliance and audit, and he reports he doesn’t report to the CEO, he reports directly to the board. So because of these multiple channels, one direct to the board, one indirect through a subcommittee of the board, it ensures that we have visibility and support from the very top of our organization. So it’s very top of mind in terms of the overall sort of structure and governance. But in terms of the specifics, you can talk about the specifics.
Bill Russell: 18:30 Well, I actually Vugar before we get that. So where does, where does architecture, the architecture of the environment really reside within it? Is that in the, in the hands of a CTO or is that some other place within somebody who’s looking at the whole thing saying, okay, we’ve, we’ve made sure that this, uh, not, not only security, but also a interoperability integration. Um, all those things. Is there somebody looking at that or is that sort of distributed?
Ed Marx: 18:59 It’s, it’s. It’s somewhat distributed. But in terms of the architecture, if I’m to ask this as funny, because this is a current conversation that we have. If I were to ask for, I want to see the drawings, the actual drawings of our architecture, how we architect the network, how we architect unified communications, how we architect all the interoperability. So our GoTo, so we’re organized by domains. We’re an agile company as it. And, um, so that is in our, what we now call a digital health domain. And if within that is the infrastructure piece, and so it’s carried out in that function. So it’s a lot of, you know, cause that’s where Infor, as I mentioned, infrastructure and our CTO is, so a lot of that resides at that level. And then from a clinical applications, uh, that’ll reports up to the same domain. So a lot of that is in that domain. Now there’s some architecture that is in some of the other domains. So it’s a little bit distributed, but I would say 80% of it is within our digital health domain. Right.
Bill Russell: 20:07 So Vugar the, uh, integrating security into the governance process. How has, how have you done that?
Vugar Zeynalov: 20:15 Sure. So from a reporting perspective, just like the outline, I have dual reporting relationship. I report to ed, uh, as a CIO and through him to the CEO. And I also report to the chief integrity officer who’s in charge of compliance and front a lot of, and he reports directly to the board. So that’s the reporting structure. As we started, we established the governance console. We have two tiered governance council, executive cybersecurity governance council made of Ed’s peers, and then the management, uh, governance console, which is the step downs, which is the operational arm of.
Bill Russell: 20:47 So if I’m a physician and I come up with a new app that I’m like, Hey, just went to HIMSS, have this great thing. And it’s going to help us in the area of oncology. I want to bring it in. I go to I how does it, how does it filter up to those groups?
Vugar Zeynalov: 21:01 Sure. So, um, we’ll also, since Ed’s arrival, we started putting together a structured it intake process. So the idea is we don’t want to create a separate cyber security intake process and then separate its intake process. We want it to consolidate it all under a single, uh, entry point to the organization. So if, if someone wants to add any new application, new system or anything else until environment has to go through a structured it, a intake process and the cybersecurity is plugged into it from the inception. So you need the ideation phase and what we’ve done, we transformed our organization from where it was. It was a set of disjointed cyber functions. And in every project you would have seven people from cyber, some from identities, others from network security and so on a school what consolidated that and expose that through a series of services.
Vugar Zeynalov: 21:53 We have an advisory function just like major consulting companies do, if you will. So there’s a cyber, um, organization that builds all that awesomeness. And there is a advisory team that diffuses it to the rest of the organization, that single point of accountability, um, and it has set of cyber security artifacts that um, act as a conduit, um, making it easier. So rather than you’re getting 600 questions right from the beginning, from the inception, you would have a cybersecurity architect assigned to whatever domain that application is coming from. That individual will represent all the cyber functions help you to plug in security right from the inception into the search? Because every thing would do, every time we put security into the requirement phase, it’s going to cost us a dollar if we wait until the implementation is going to cost us 100 bucks. And if we don’t do it at all, it’s going to spill into production as a cost of cost for quality. So that’s simplifies that, simplifies it for customers, right? Uh, the engagement process and then moving into that service delivery model, it simplifies things for us as well because it’s streamlined. Our processes makes it, uh, consistent to the organization. So they know what to expect. And then overall the customer services and fees.
Bill Russell: 23:08 Great. So, um, so I’m going to jump to operations. This is where the sort of the rubber meets the road here. And then I want to close on innovation. Uh, it would be remiss of me not to talk to you guys about innovation given, uh, where you, uh, where you work and what you guys are doing. But let’s talk about operations. So security breaches, uh, we know most of them are caused by people either, uh, our users or even our administrators, um, not following processes and those kinds of things. How, how can a health system minimize that exposure? The exposure of the people or I guess that’s the question. How, how can a health system minimize that exposure?
Vugar Zeynalov: 23:45 Right. So this is a, let me peel that off into several, um, kind of sub sub areas. First of all, um, having is consistency QE protections across the environment. And it starts on operational side. It starts with having consistent data. So if we would have good asset inventory and we would know what our cyber security protections are deployed across our environment and make sure they are consistently applied. Obviously that and, and that applies to everything, right? So from, um, things like any virus send all the way to patch management, then other backup and other essential controls that you have to have in place. That’s one of, and that to do that we actually build their fairly robust data. Um, um, the metrics console where we have feeding from all our security tools and It tools feeding into centralized like data Lake, if you will, and delivering set of concepts of metrics, uh, to I identify these very variations from the standards and chase them.
Vugar Zeynalov: 24:50 The second aspect that you outlined is privileged user management. And you’re right, that’s one of the biggest challenges, uh, is locking down privileged back center. You can imagine those size and complexity of this environment will have like tens of thousands of systems and applications and as soon as so forth. So we started a privilege management program first with introducing an ability for us to control that. So, so we can volt people’s passwords and they can go through a consistent way of accessing their systems and we can record what they’re doing while they’re accessing. And then the second one is streamlining and trimming it down to the acceptable level. It’s a multi year investment given our size and complexity. That’s where embarking right now.
Bill Russell: 25:36 Yeah. So Ed, I want to sort of ask you, you know, when you come into a new health system, regardless, most CIOs I know who’ve come into even a well functioning health systems, um, identify, uh, operational gaps right out of the shoot. How do you drive a culture of operational excellence within it? And I assume you put together some program or, or when after that was probably one of the first things you went to after, I would assume.
Ed Marx: 26:04 Yeah, you definitely need to do that assessment pretty quick. You’re obviously brought in, if you’re brought in externally, there’s probably a pretty good reason why. And I think a lot of times it has to do with the fact that there are gaps. So it’s quickly, you know, ascertaining what the gaps are and then building your team to help address the gaps cause you’re not going to do it by yourself, not successfully. So you know, you, you identify those gaps, build a team that can help you fill the gaps and then you know, develop the plans, ensure alignment and start taking action and execute. Obviously these are not cereal, they can be done. Some of these can be done simultaneously. So it’s really hiring great people. It was so fortunate to have Vugar as part of the team. He actually came here a couple of months before my arrival and had already did exactly that.
Ed Marx: 26:55 See the gap, develop a team, develop a plan and start to execute on the gap. The other couple of things we’ve done, bill, that I’ve may have mentioned in the past is we went completely agile. So as we got the right people in the right spots, we developed this agile culture and philosophy and way of work. So we completely changed the way we work. That was one thing. So that helped us become much more customer centric, much increased speed to delivery and those sorts of things. The second thing we did is we adopted its, which is like best practices for how you do it across all industries and we made it a matter of employment. So everyone who existed had one year to get the training which we provided and then the testing to pass any new hires have six months to get the training and pass the test. And so that’s happened a few months ago where everyone that one year expired and now we operate in best practice for it. Let me show you one quick example. Hold on.
Ed Marx: 27:58 I rarely have paper. It’s probably not going to work on the camera, but what this shows is our serious safety events. So you see this is January, September, the first time ever recorded history. We had no serious safety events. Google are mentioned earlier that we use the vernacular of the of our business, which is clinical. So we call them serious safety events in ITSM or most it shops, you would call it major incidents. So we had zero major incidents in September, first time ever. And then you couldn’t see it where very well probably from the graph, but we had four or five months of just one. One’s too many, but one is much better than what we used to be. So our objective key result back in January, that’s how we measure ourselves, is through, okay ours as an entire organization, that’s how we ensure organizational alignment.
Ed Marx: 28:48 A CEO has OKR and they roll all the way down to the individual level. Anyways, our ours said 50% reduction in serious safety events and people said impossible. In fact, I was a little bit doubtful. We’re on track, I rarely have paper, but I had to tape this in my office because I was so proud of the team for achieving that. So that’s a long winded answer to your question, but that’s, that’s how you go about achieving operational excellence is by focusing, you know, hiring the right people, the gaps, the plan, and executing and focusing on the right things and then measuring it and being transparent about it. And then holding people accountable. So again, I know this isn’t about your question now and I’m going to kind of kind of go off off tangent, but what we do, just like our organization, when there’s a serious safety event, I’m involved in all of them.
Ed Marx: 29:35 As a member of the executive team and people are held accountable. They come to our team meetings and they explain what happened, what they’re doing, what the root cause was, what we’re doing to make sure it never happens again. We do the exact same thing in it so that whoever’s responsible for that serious safety event, it’s not meant to be punitive. It’s meant to be learning. They come, they explain what happened, what they’re going to do to make sure it never happens again. And then we hold people accountable. They should never show up twice for the same reason.
Bill Russell: 30:00 Well, and the other thing is you celebrate it. I mean you have that chart for a reason and it’s probably posted in your, in your office so that anybody who comes in and realizes, Hey, you know, this is a metric that really matters to the executive team from the CEO all the way down and uh, it should matter within the organization. So you celebrate it, you highlight it, you keep it in the forefront and uh, and, and all that builds that culture. So it’s, it’s all those things you said and it’s a continuing to elevate it. And that is not, that’s not always easy cause I’m sure ed, you’re getting pulled in a thousand different directions.
Ed Marx: 30:37 Oh yeah. It’s, it’s very difficult. We’re a large complex organization, but it really is a testimony to our great team. And I don’t mean just it, although we do have, we have started to put together a pretty amazing team, but everyone in our organization works as a team of a team’s philosophy. So it’s working closely with nursing, with medical staff, uh, with finance, with supply chain, everyone working together. It helps achieve goals like this.
Bill Russell: 31:01 All right, last, last five to eight minutes here. So I wanna I want to hit on innovation. So this is a topic everybody wants to talk about, but you know, it’s important to talk about security and operations and architecture because innovation rides on top of that. So a digital innovation, digital transformation, where are you seeing the most movement in this area? Either within it or within healthcare as a whole? And, and I’d love to hear from both of you on this.
Ed Marx: 31:29 Yeah, I’ll, I, I’ll let Vugar talks first cause I would love our refuse to have spoke about the G Socksy shock, which will, which will explain what that is cause that’s highly innovative, I believe first in the world.
Vugar Zeynalov: 31:43 So I think innovation, especially in the world of cyber, which typically perceived being those naysayers, uh, innovation starts with um, being innovative within cyber itself. So we’ve been pushing the boundary. Like as I said, if we would do things the way they’ve been done before, we will never catch up. So we were looking to ways to leapfrog in the future. And the only advantage of being behind is that you can learn from strengths and weaknesses of others. Having done this multiple times. Um, this, there, there were a couple of things we’re doing very, very differently. First moving our entire organization to agile. Just having entire cyber secure organization including operational capabilities, running in agile and moving away from large scale projects to products. Here’s why it’s relevant. If you think of adversaries, most of them probably excluding nation States, they may not have better tools or even better funding that we are.
Vugar Zeynalov: 32:38 We do it. We just more agile, more nimble. They, they, they are very focused on what they do. What I, uh, Sadler takes its cues from a structure. It processes around planning and discipline, right? Um, something emerges. New technique emerges on the cyber world. It takes us years to go through the, uh, approval and adoption cycle before we can put some protections in place. Being agile and nimble and having these product teams that have a very, very clear mission. It’s almost the same as moving from a traditional law enforces battling, uh, insurgence to set up special forces that have a very clear mission. They have all the funding pushed down to the product level and they can make decisions uh, fast and in a nimble way. It allowed us, for example, in the environment like this, deploy some protections to a 70,000 assets within three months from inception to fully, fully complete it because there’s no like large coordination effort that’s required. Other things that we do very differently, uh, when moving into cloud before anyone else does. So when moving on type parameter into the cloud, we also established our cyber security operations center, um, call located at with what we call global speed operation center. We’re physical intelligence from our protective services organization and digital intelligence coming together and operating together. I think this is pretty, pretty new to the industry.
Ed Marx: 34:10 Yeah, I think that might be first, first in the world. We’re sort of checking that out. So that’s really important cause we do have a G SOC, a global operation center because of our, we’re a global company, so we have assets around the globe and so it’s but marrying the two together because those lines have become blurred. So it’s, it’s pretty, it’s very innovative. And of course we do all the innovative things you would suspect. I was in, uh, a surgery yesterday, so I, I work, I think I mentioned to you before on Wednesdays, I spend about 10% of my time working in the or now. And, uh, so I’m the anesthesia tech and I was, uh, assigned to the surgery yesterday and it was a very complex case and part of the issue was just the breathing airway for this particular patient. And so we took all the imaging that you would normally have with, you know, three D imaging from, from radiology, from our imaging Institute, and then we created a three D model.
Ed Marx: 35:02 So with that three D model, we actually knew the exact structure of the canal and the bronchitis, uh, to where the tubes would go and to, to fix this airway. And cause it was a very unique structure, which, uh, was very pro, potentially problematic. So with that we could actually perfectly measure things and know what kind of scope, what size of scope to use, what length of scope, all these different things that otherwise we would have been. IX people normally in the past would have perhaps experiment, you know, why you’re working with your patient. But we knew ahead of time because of this innovation. So that’s just one example and it’s so much fun cause I actually get to be part of it and, uh, be part of that patient care process. We have so many, that was just the first that jumps to my mind,
Bill Russell: 35:47 you know? And, and actually I’m going to, I’m going to ask you after this last question, I’m gonna ask you to, to, you know, how can people follow you in that kind of stuff? Cause, um, you know, you hit on agile within the environment, you hit it on the, uh, the innovation and with insecurity. And I know you guys are doing just a ton of clinical, uh, innovations that, uh, that people have access to and that you, you guys are, are very, uh, open in sharing. So, but the last question I want to get to before we come back to how people can follow you or learn more about this stuff is if you were to leave the clinic today, and I’ve been asking a bunch of people this, um, and you, you were going to do a startup. So I, I’m going to, I’m going to give you a couple million bucks to get, do your startup. What area would you choose to innovate in, in, in, in what, what, what might that look like?
Ed Marx: 36:35 So for me it would be, again, we, so the Cleveland clinic, we want to double the number of lives touched and the only way we grow through M and a, the only way to really do that effectively is through virtual. So I would begin something virtual that would help everyone on the planet. So for instance, say what we’re talking about is doing, when we opened up our hospital in London in 2021, we would love to do the first transcontinental remote surgery, heart surgery. So a complex heart case where our surgeons, our experts would be here in Cleveland and the patient would be in London. And uh, so we’re, we’re making steps planning that direction. Now take that a little bit further. And what if you were in remote, you know, I have a medical clinic I think you know about in Tanzania and so what if those patients there, we could also do high acuity care for those patients somewhere remote where they don’t, where they is.
Ed Marx: 37:22 They have the very only the very, very basics. You can’t even imagine. Uh, but what if we could provide world class healthcare to individuals in that village that I would, that’s what I would invest in. I think we’re getting very close to being able to do some pretty amazing things. Even our app, our patient app, our first ever comes out our first ever in terms of the type of functionality that you would expect from a world class organization comes actually came out today. But internally soft launch, we’ll have a hard launch probably in a couple of weeks. But even that in the future we’ll have a capability to do virtual reality. So you actually interact with your clinician, looking at your own body based on images and kind of walking through it and looking, Oh, had you have a left meniscus tear in your knee. So a, here’s what it looks like and you kind of walk around. I mean that’s so cool. And then you can visualize being more engaged and then, you know, to the extent we can do more therapies and all that good stuff. So that’s what I would do. What about you?
Vugar Zeynalov: 38:20 You know, if we’re talking about cyber, one of the biggest challenge the cyber industry has is communicating value and mitigating value to, to our business and our clinical leaders. It’s, it’s been, it’s been always a challenge, right? How do you present actionable intelligence back first with decision making? Second for, for validation, seeing because typically clinical leaders, use security as, as, as an insurance almost Australia. So that’s, let’s make sure nothing bad happens. In reality, there is so much more right? Like that little yellow lock that you see in your browser. It’s enabled what we today call eCommerce. There’s a lot of enablement that comes from security and I think, uh, we are lacking and this is everything from, from nomenclature to ability to communicate things with facts and numbers, communicate the value back to, to the business leaders.
Bill Russell: 39:15 Yeah, you can see that. So, uh, you know, guys, thanks for coming on the show. Uh, not only how can people follow you, but how can they learn from your experience from the Cleveland clinic?
Ed Marx: 39:27 Well, I think the best way is just whether it’s on Twitter or LinkedIn is follow the Cleveland clinic because that, I do that. That’s how I learned. I didn’t realize we did that. Oh, we do that. So we can apply some technology to that and make it even better. Um, so the Cleveland clinic has all sorts of, you know, like probably like three or four different channels within each of those, you know, LinkedIn and Twitter. But I follow all of them and that’s where you find the best out. Then sometimes they’ll include cyber. You were recently, Vugar was recently featured on cyber and every once in a while some, some of the things that come out of my digital health team. So that’s probably the best place. The cause, the clinic is much is an amazing organization with, I think you mentioned earlier, very brilliant people, much, much smarter. I, we just feel honored to be a small, small piece of it. And so anything decent that we do that people might be should maybe picked up by by the larger organization. So that’s definitely the best place. We’re both on LinkedIn and post some things here and there. But I would say the Cleveland clinic.
Bill Russell: 40:26 Yeah. And I’ve been reading your articles, they make their way onto health system CIO as well, which is great place to, uh, uh, I mean you shared almost your entire cancer journey, uh, in, in articles. I, I can’t believe you have time to write. I don’t know.
Ed Marx: 40:40 Well, the coolest thing though, if I can say this, is that a 12 individuals, 12 men, um, who responded to me based on those articles went and got their testing done in their PSA tests and had cancer and were treated. So that’s the, that’s part of the journey. And I actually visited with one, I won’t mention any names of course, but uh, we drove out cause they were only a couple of hours away from where we live and we drove out with them right before they had surgery. And then after in, uh, you know, uh, uh, continue that communication and they’re cancer free today. So that, that was the best part about sharing the journey. It takes a little bit of time. But man, we’ve got to share our, our ever, all of us, we go through pain in life and we go through pain as CIO’s are all good things too. But sometimes it’s the pain and the journey that’s most beneficial for other people to learn from and you can help them and help save lives.
Bill Russell: 41:33 Well, I appreciate you guys doing the show. I appreciate you coming on and, and being able to focus on, uh, cybersecurity and at a future date, I would, I would love to go through that entire journey and just help to get the word out, uh, to, to our audience. And, uh, I, I, I really appreciate what you guys are doing, uh, and innovating in this area. It’s fantastic. So, um, all right. So please come back every Friday for more great interviews with influencers. And don’t forget, every Tuesday we take a look at the news that’s impacting health. It, it shows production of this weekend off it for more great content. Check out the website this week. I’ll, uh, that’s all for now. Thanks for listening.
The security posture of healthcare is the foundation for trust that we have to build our digital experience. Ed Marx and Vugar Zeynalov of the Cleveland Clinic share their approach to getting the foundation right.