Where does Automation Come into Play for Good Cyber Hygiene in Health IT? (Video Transcript)

Frank Nydam (Tausight CEO): So, where do you start speaking with CIOs, chief privacy officers? We don’t have trained staff. We’re short staff. Where do you start, and what’s your notion of this basic cyber hygiene, like 405d? Is that a good start?

Aaron Miri (Senior Vice President, Chief Digital Officer, Baptist Health): The typical way it goes as CIOs, first thing you do is you weep, and you sob uncontrollably for a little while, realizing that it’s a pretty, pretty deep hole. But no, I’m kidding. The reality is the first point you start is identifying where your crown jewels are, right? Do you know your systems that transact your data? Here at Baptist I have a giant, think about architectural diagram that connects all of my applications, servers, databases, infrastructure, to understand these are the systems that could house data, and this is where the data should be going to. The problem is looking for anything that’s outside that norm, right? How do you figure out, because we all know how apps work. There’s open up this port, open up this port, send this FTP out, send this via HL7 here. So even though on a map, on an architecture map, you may think, “Oh, it’s this database transacting to this application, which goes out to this.” It’s actually hundreds if not thousands of spider webs of connection going across most of the time, over point 80 or port 443, over the Internet, hopefully encrypted. But how do you check for all of that? How do you know for sure? That’s the gap right now is we think the level set is this, but the actual set is this, and looking at that delta.

Today, that’s a manual process where you have armies of people often tremendously understaffed, right? There’s nobody can afford it, including myself, trying to figure out what is the reality of it. So we’re trying to get smarter with automation and looking at things, but that’s where you start is looking at the crown jewels, transacting that, and then honestly QAing that, right. Is that really happening or not happening? Today in a very manual process, tomorrow has to be automated.