Healthcare Innovation

Founder Podcast: Exploring the Digital Battlefield of Healthcare Cybercrime

September 2, 2023
Founder Podcast: Exploring the Digital Battlefield of Healthcare Cybercrime

Healthcare under siege, exploring the digital battlefield of healthcare cybercrime

In this episode, host Bob Kaiser speaks with Josh Spencer, healthcare CISO and founder of FortaTech Security, to uncover the dark underbelly of the multi-billion-dollar healthcare cybercrime industry and reveal how healthcare organizations are leveraging the latest technologies to defend themselves.

Podcast Captions (Auto-Generated):

[Bob Kaiser 00:28]

Welcome to the Business of Healthcare podcast from the Center for Healthcare Leadership and Management at the Naveen Jindal School of Management here at the University of Texas at Dallas. We bring together business leaders and other forward thinkers to discuss how best to meet the challenges of a rapidly changing, increasingly complex healthcare ecosystem. I'm Doctor Bob Kaiser, Director of the Masters Program and Healthcare Leadership and Management. Be sure to subscribe on Apple Podcast, Spotify or your favorite podcasting app to ensure you don't miss any of the future episodes. You can also join us online at businessofhealthcarepodcast.com. Today on the Business of Healthcare Podcast, we're going to explore the digital battlefield of healthcare cyber crime. We have a lot of practical guidance to share today. And also a deeper insight into how artificial intelligence is being deployed in the healthcare cybersecurity space. Our guide today is Josh Spencer, Senior Partner and Chief Information Officer at Ford Tech Security. Josh is no stranger to the complicated world of healthcare. Prior to his current role, he served as Chief Technology Officer at UT Southwestern Medical Center, guiding massive infrastructure resiliency or improvements. Data center migration and implementation of transformative new technologies. Josh, welcome to the Business of Healthcare podcast.

[Joshua Spencer 01:57]

Yeah, thanks for having me, Bob. It's a real pleasure to give you and your listeners a peek into the dark underbelly of the healthcare cybercrime world. And I'm really excited to share some of the powerful weapons that we use to keep our healthcare data safe.

[Bob Kaiser 02:12]

You know, we have many points of interest to provide these your practical awareness and guidance, but we also want to go deeper today, Josh, into how artificial intelligence plays a role and how it's going to fit into the future. So let's start with a little bit on your background as a Certified Ethical Hacker, My guys, that name itself sounds pretty impressive. And your role as the Chief Information Security Officer. You know, protecting the information and assets and technology for a large Medical Center doesn't sound like a very easy job to me. Tell us more about that.

[Joshua Spencer 02:46]

Yeah, it's certainly not an easy job, but it is exciting. Over the last 13 years, I've been helping keep healthcare organizations secure, and not a single day has gone by that I didn't see or learn something new. As a certified actual hacker, I was brought in to look at healthcare organizations through the eyes of an outside attacker. I would use the same software, same tools that the hackers use, and scan a company's network looking for any signs of weakness. And when I did find a weak spot, weak spot, and the armor of their network, I would then gain access to that system and all of its data, and then continue to move all throughout the network, gaining access to more and more systems along the way. And that was it. Was a fun exercise, but critically important at the end of the day because most companies, they're going to overestimate their defenses and underestimate the capabilities of the attackers. So an ethical hacker like myself, once they've broken in, we'll work with that company to understand and fix the holes in their security, with my ultimate goal being to make it as difficult as possible for that next hacker to get in and do what I just did.

[Bob Kaiser 03:53]

So there's such a thing as a Certified Ethical Hacker where you have to be qualified. Tell us a little bit more about that. That's a little bit intriguing to me. I didn't know such a position or training existed.

[Joshua Spencer 04:05]

Yeah, absolutely. So it's a program that makes sure you have not only the the technical knowledge, since there's plenty of information out there about how to how to do that, but also that you have an understanding of the more obligations of what you're doing. As an ethical hacker, you are going to be getting access to a full treasure trove of information that you weren't intended to have. So you need to know what to do with that information, and then also how to properly communicate with with your clients to understand what to do with that information temporarily. How to rapidly put a bandaid to keep that information from getting compromised and then to work with them to make some longterm fixes to fix not only that particular issue, but make sure similar issues don't get introduced in the future?

[Bob Kaiser 04:52]

Okay. So we're talking about cyber crime here. I've got a few few general type questions. So let's kind of start with the criminals. Since this is cyber crime, you know, who are they? Why do they do it? And and what exactly do they do? So who are these cyber criminals? What? What are they like? Yeah, absolutely.

[Joshua Spencer 05:10]

So when I think about cyber criminals, they're really going to come from a whole range of very diverse backgrounds spread out all over the world. But that being said, you know, when we look at it, there's really three common attacker profiles. So the first one is going to be the government sponsored hacker groups. We commonly refer to them as Advanced persistent threats for a PT's. Now these are going to be teams of elite hackers. They're going to be directed by their governments to steal secrets. So think of military strategies or even from a healthcare standpoint, medical research that's giving their countries an edge in that industry. These attack groups are also going to be profit motivated and they're going to be netting their governments billions of dollars every year in revenue to help fund the governments, or at least some of the politicians that are employing them. The UN actually, they released a estimate a few years ago saying that N Korea's cyber army was responsible for 50% of North Korea's income. Their attacks have drained billions of dollars from numerous bank accounts across the world. So they have a a very successful program. But yeah, even though these governments that and their attacker groups get a lot of media attention, really the most common of the three attacker profiles are going to be the organized crime syndicates. So these are large organizations with hundreds or even thousands of employees and they operate much like any other company that you think of. They've got HR departments, paid time off, new hire orientations, they're they're most likely going to operate out of countries that aren't very friendly to the US and and European governments. But despite all of the complaints that they're getting from our governments, they're still not being shut down. That's because, you know, the, the police in those countries recognize that, hey, they're employing thousands of people in that community, providing a really great source of tax revenue. And in many cases, there's also bribery schemes in place to keep the authorities from from sweeping in. And then the last category of attacker is the one that's really started to grow the most rapidly just over the past year. We call these the lone wolf, so they can be anyone from a disgruntled IT employee that's fallen on hard times. It could be a high school kid. They just watch some videos on how to hack from YouTube and then the the latest generation of a I has really given these lone attackers an incredible ability to to rapidly develop new attacks and techniques that would have been a year ago impossible for just one person to do. So we're we're pretty quickly adjusting our defensive measures make sure we're we're properly defending against these new threats that are a I enabled.

[Bob Kaiser 07:49]

While it's like walking down the dark, dark alley at night, you don't know what to expect or who's going to come at you. So I can see, Josh, where financial data would be key of importance. Why do they want the healthcare data? Why is that so important?

[Joshua Spencer 08:04]

Yeah, answer to that is pretty simple. And it's money. Lots and lots of money. And really, at a scale that I imagine most people couldn't even conceive of, most of the data that's public out there indicates the overall global cybercrime revenue is teetering around $1 trillion per year. So give you an idea of scale, think of the combined revenues of Facebook, Apple, Microsoft and Google. So it's a lot of money. And Healthcare is definitely a prime target for cyber criminals. So much of that revenue is being stolen out of the pockets of healthcare companies that just haven't prepared themselves properly. Some industries, they've got the luxury of being able to easily correct stolen data. So think of a credit card company, they can detect fraud and have a new card in the mail same day. Now in healthcare though we can't generate a new date of birth or a new medical history for one of our patients. So in many cases a cyber criminal can profit off of that stolen data for years. And then Healthcare is also unique and and how concentrated and comprehensive our sensitive data is. So a criminal breaking into a medical record system, they've got everything they need to commit just about any type of identity theft that they can think of. You've got name, date of birth, Social Security number, home address, a lot of very powerful information. Now, I found most people in healthcare, they've they've got a kind of a vague understanding that healthcare data can be illegally monetized. But it really isn't common for folks to understand exactly how that happens. And I find when people know just how easy it is to illegally profit off of that data, they do a much better job of protecting the data. Many times that the burden that comes with being forced to use a longer password or accepting that two factor authentication prompt, it really doesn't seem as onerous as it once did once we realized that a password can protect thousands of lives from identity theft or even worse. So of course today I'm not going to give you a step by step guide to selling healthcare data, but I don't want the FBI my doorstep. But what I can share is an overview of some of the most common methods. You know, I think most people have at least heard of the dark web, but for those who don't, you know the dark web, it's a criminal's paradise. It's a hidden part of the Internet, really hard for authorities to shut down and require some special software to access. But in the dark web, these underground cybercrime markets flourish and all you need is a little bit of Bitcoin. And you can buy anything from prescription drugs to stolen medical ID cards and even passwords to medical record systems. And all these services they they look and feel just like you're buying anything else. Online you can see reviews of the sellers pick your choice of shipping speed, in some cases even ordering free samples. So let's yeah, let's say a hacker. They sent out 10,000 phishing emails to various health systems, maybe 1000 of those recipients, they fell victim, and maybe a hundred of those aren't using two factor security. Well, the hacker can then sell those 100 passwords and the going rate as of today is about $4.00 a password. And so a day's worth of effort just netted them $400.00 on the dark web. Now, someone who's specialized underneath theft, but they can visit that dark web market, buy up a few of those passwords, and they can log into the medical records system and begin collecting patient information. They can either sell that directly on the dark web, or they can, say, use that information to make a fake IDE. They can pick up some narcotic prescriptions and those patient names and do all kinds of really scary things. And then?

[Bob Kaiser 11:38]

It sounds like an Amazon.com for criminals.

[Joshua Spencer 11:41]

I mean, my goodness, absolutely it is. It is frightening to see this type of activity just thriving there on the dark web.

[Bob Kaiser 11:48]

Well it makes sense what the way you explained that why they want like you said it's it's it's monetarily to their advantage to get this healthcare data. So when you stop and think about these hackers getting this data. But you mentioned a couple things. You said you know people can send in phishing, that's that's emails, I guess. What is that a popular way? What are the ways do they go about getting into these healthcare systems and getting all that data?

[Joshua Spencer 12:14]

Yeah, absolutely. That's a very popular method. And many times when companies are hacked, they're often going to go to the press and they're going to say we were involved and advanced cyberattack and make it seem incredibly sophisticated and possible to defend against. And that's what they're the PR part of that company wants you to hear. But really in reality, what these companies don't want you to know is that they likely fell victim to a foundational security issue. So thank you, Fred in accounting answered a phishing e-mail. Nancy and HR, she kept canceling her security updates until her computer was infected. And unfortunately we we really have to worry about more than just the Fred Nancy's. We have to worry about vulnerabilities not just from our own employees and systems, but all the vulnerabilities that exist with all of our vendors. And in healthcare we have perhaps more than any other. So we might remember some of the names like Humana and Anthem that that hit some of the headlines due to our breach from their vendors. But it is overall just incredibly common in healthcare. If if you were to take the list of the top ten healthcare breaches that were reported last year, most of those, so over 50% of those were due to third parties. So it's incredibly important to understand who has your data, who has access to your systems, and how the data and that access is being secured.

[Bob Kaiser 13:33]

Do these hackers do these criminals? Do they typically pick out a specific company and go after them? Or is it a a wide, wide cast of their line just to get anybody who bites on it, so to speak? What? What do you see happening there?

[Joshua Spencer 13:47]

Yeah, so it's going to be a little bit of both. Quite a few attack campaigns are targeted at a single company. Often times this is going to be due to certain news stories that hit the Internet that put the company in the limelight, especially if that news could imply that the company's become much more valuable suddenly, or perhaps is less defended. But for the most part, hackers are going to cast that wide net. They might collect a list of every healthcare company e-mail address they can find on the Internet. Or they might set up their scanning programs to crawl through the Internet looking for any sign or vulnerability, and then prey on whatever weaknesses that they find.

[Bob Kaiser 14:22]

Is there another motive other than financial gain you hear about people doing what I'd say ruinous activity they'll attack somebody's you know company or website just to put them out of business. I'm not.

[Joshua Spencer 14:36]

I'm not sure what that terminology is when they they overrun override the the web access for those those sites, the financial fraud, medical identity theft is one of the biggest motivators but it's not the only motivator. So in the case of these you know state sponsored attacks or advanced persistent threats, many times that's to gain a foothold or negotiating leverage with the other governments. So we've seen some of these foreign hacker groups intentionally Target Healthcare infrastructure and try to dig its roots into deep into our our nation's healthcare infrastructure to gain some leverage in those negotiations that sort of things go South that they know that they could cripple some of our our healthcare infrastructure. The other big component there is some people will attack healthcare organizations just for the ideology or because they think it's fun. So there's been a couple cases on the news where I believe there's a Children's Hospital that that treated a allegedly treated a patient poorly. They then launched A denial of service campaign that shut down that healthcare companies network and it wasn't until a bunch of media backlash it that that person relented and gave access back to the hospital.

[Bob Kaiser 15:49]

That reminds me recently here in our hometown of the city was they had some type of attack on their systems which basically potentially could lose all types of legal files and in court documents and things like that. And it's like what when you get into a situation like that and you're asked to pay ransom, what's the, what's the best practice? What's, what's the advice that you give people Who do you call and what do you do?

[Joshua Spencer 16:14]

Yeah. So you certainly want to be prepared with an action plan. The time to put together a plan isn't once you have this, this major event. So definitely need to understand, you know, work with a security expert to understand what are the most common threats out there? What are the best practices for responding to it For something like a ransomware attack? If you have an insurance policy, does that cover the payment of of some of these ransoms? If you have disaster recovery plans, making sure that they fit all these scenarios that you can be up and running if bad things happen.

[Bob Kaiser 16:46]

Well, I know it doesn't have to happen to a big organization. I've got some friends who've said, you know, they've they've had their home computers, ransomware, they've had their Instagram files hijacked and they can't get their their information back and things like that. If it happens to an individual, because a lot of our audience are individuals as well, they're not. They're not what I'd call the chief information security officers, but what would an individual do? Would they call their local Police Department or they did just? Frustrated and give up what's what's what's the best advice for them, Josh?

[Joshua Spencer 17:17]

Yeah, I'd say they should certainly reach out to their local Police Department. But they can also coordinate with some cybersecurity companies that specialize in in working directly with with consumers. Because the way that someone responds to an individual attack is going to be very different from the the way they respond to a large corporate attack. So you take a look at the healthcare scenario, your average ransomware attack is going to be $4.8 million. Whereas when we see some of these attacks on on individuals, those are going to be closer to around the range of $300.00 per computer. So the $300.00 is much more likely for an individual to to be able to pay. And there certainly are a number of moral considerations as well that you you might need that data. But for every person who who pays that ransom, they're now funding the next round of of ransom attacks that that are going to target even more people and potentially destroy even more lives. So that that's a call that I would definitely recommend you make in consultation with your your local authorities and a cybersecurity expert. Based on unique facts of the case and what's been stolen, this episode is brought. To you by the Center for Healthcare Leadership. And management, the definitive resource for healthcare management education in North Texas. The center is based in the Naveen.

[Bob Kaiser 18:37]

Jindal School of Management at the University of Texas of Dallas.

[Joshua Spencer 18:40]

It plays a unique role in training the next generation of healthcare leaders to meet. Local, regional and national demands the Jindal School uses its. Strengths in Accounting, Administration, Finance, marketing. And information systems to educate highly qualified personnel for healthcare administration and executive leadership positions. The center is home to seven healthcare leadership and management programs, including undergraduate and graduate programs, as well as executive programs for physicians and working professionals. For more information, visit us online at Jindal dot UT Dallas dot.

[Bob Kaiser 19:15]

Edu/ healthcare. Is ransomware becoming more prevalent? Is is that, if that was a product, is that product selling, is that a big growth area?

[Joshua Spencer 19:25]

Yeah, so it ransomware really started to come popularized right around 2013 and and I would say that's definitely a permanent fixture in the world of cybercrime. It it peaked right around last year and has been fairly steady. But unfortunately healthcare customers are they're one of the most common and lucrative targets. You know this is because Healthcare is one of the most likely markets to pay ransom. So we we take a look at a report that I BM released earlier this year. You know they're showing healthcare as probably the the largest market impacted. Part of the highest rates of highest demand for some of these ransom payments and even at that $4.8 million figure that I I mentioned most analysts and myself included, you know we we find that that number is actually likely to be much higher. But another factor that's really going to impact healthcare so heavily with ransomware is the quality of our healthcare delivery is so closely tied to use of our electronic systems, we have to worry about potentially fatal outcomes if our access to healthcare data isn't there. So factors like you think delayed care and ability to access urgent information like blood type allergies, medication lists, these are huge factors that are going to motivate a healthcare provider to pay a ransom pretty quickly and as quietly as they can. And when we talk about fatalities this this is no longer a theoretical risk. Poneman Institute, they they performed a study last year across 600 healthcare facilities and they found mortality rates increase in facilities that were experiencing A ransomware attack. And then we we we have these large macroeconomic numbers but we can actually zoom in and look at specific cases. Now a case where emergency department, they had to turn away an ambulance during a ransomware attack and that patient died during the reroute to the hospital and that likely would not have been the case if that emergency room was open and operating. And then we have another case in Alabama where a critical piece of modern equipment was down due to ransomware infection and didn't detect an umbilical cord wrapped around an infant's neck until it was too late. And and that's, you know, those stories are exactly why me and and so many others, we choose careers in healthcare, cybersecurity. You know, it's not just about protecting A business's profits. It's really a moral duty. I'm sure we have some of the highest standards of our data protection because it's really, it's our patient's lives that hang in the balance. You know, every bite of stolen data could could not just turn a patient's life upside down. It could actually end it. So definitely to defend against these attacks, when we look at how do we defend against them, you know one of the most critical elements there is what we call an air gap that that goes between the healthcare network and your data backup. So think about you know, storing a copy of your important data on devices that are totally disconnected from electronic system and stored physically in a vault somewhere. So yeah, unless the criminals going to physically break in your vault, your data is back up protected no matter what that hacker has access to electronically. Or there's also a number of additional technologies that can help prevent ransomware detect it, shut it down before it spreads across your network. So you should definitely pair it with a variety of controls to help keep your organization protected or even from a personal standpoint, making sure your computer is up to date with the latest security software and patches and and things like that.

[Bob Kaiser 22:55]

So I I have a nice little four terabyte solid-state disk drive that I use to back up my personal information. I can have an air gap there. You know, I can. I can stick that over there into a safety deposit box or into a different room not connected to the Internet. But my goodness, what would you do for a large Medical Center where you've got just a tremendous amount? I can't even use the word to describe how much data there is. How can you create an environment like that with an air gap? That seems like impossible.

[Joshua Spencer 23:28]

It it certainly is a herculean effort with some of these systems storing data and in every corner of the network. It definitely takes a concerted program to look through your organization's data. You're not going to back it all up in a way that might be preventable from some of these ranks more attacks, but you can at least identify these are the most critical pieces of information that we're going to make. The additional investments to make sure that they're secured and backed up and and air gaps.

[Bob Kaiser 23:56]

At the beginning of our conversation, I promised the audience that we would maybe take a little bit deeper look into the technology pool, looking a little bit more and tur, we we've learned a whole lot here about a lot of the issues and a lot of the mitigation things we can do to help maybe avoid some of this. There's got to be a bigger, better solution in the future that we don't know about yet. So is there? Can you give us a high level overview? I've heard of quantum computing. Can you explain what that is and how that might impact cybersecurity in the future?

[Joshua Spencer 24:29]

To get a better idea of what quantum computing is and really why it's so impactful to cybersecurity, just just imagine you're in a massive library. It's got thousands of books, and you need to find one specific sentence within one specific book. So the way a computer today is going to do that, it's going to be a very diligent reader. It's going to pick up each book one by one and look for that sentence. It's going to take a very long time, even if your computer's a very fast reader. Now, quantum computer, though, it's going to use some incredibly weird and unique physics that allows it to read through each book at the same time. So it's going to find your sentence much, much faster. So the problem we're facing today is, is the way we encrypt data is by performing a complicated set of math problems that only people with the key are supposed to be able to figure out quickly. Well, these these quantum computers, they can now solve in seconds what would have taken a normal computer decades to solve without the key. Now, thankfully, the the quantum computers that exist at this moment, they're they're very expensive and very fragile and only accessible to large governments and research labs. Although I'd anticipate the next three to five years are going to bring the public access to powerful quantum computers. Computers are going to be capable of breaking encryption that we've depended on for decades in just a matter of seconds. So yeah, if if the data you're trying to protect is things like credit card numbers, really not a huge concern right now because by the time this quantum computing technology gets an attacker's hands, yeah, it's that data is not going to be valuable, it's going to be expired. But in healthcare, we are challenged by the longevity of our data, Social Security number, a date of birth, a black male medical condition that's still going to be just as valuable in five years as it is today. So we're seeing cyber criminals scooping up just large volumes of encrypted data from public networks, with the plan to harvest that data years later using these quantum computers.

[Bob Kaiser 26:34]

Wow. So when we look at this whole world of quantum computing, it sounded pretty devastating that the bad guys are going to have some tools against us.

[Joshua Spencer 26:43]

Is there any positive news about the good guys using this? Yeah, absolutely. It's not all bad news with quantum computing. There are some encryption methods already in use today that are what we call quantum resistant. And so we're already seeing security departments implementing those measures. We're getting rid of the easy to break encryption methods. We're also seeing some really powerful research into quantum computing that provides a level of security that is theoretically uncrackable and it gives that by exploiting some very unique properties in quantum physics. So I'd imagine within the next few years we're going to see those new quantum networks and quantum protocols start to pop up that provide a much greater security and privacy than any other technology that we've had in the past.

[Bob Kaiser 27:29]

Wow. That kind of opens the door for a topic that we hear a whole lot about today. Everywhere you go, you hear more about artificial intelligence. A I Could you give us kind of a high level overview of what that really means? What does artificial intelligence really means and and how can that be used for the good guys and the bad guys?

[Joshua Spencer 27:49]

When it comes to cybersecurity, I tend to be fairly pessimistic when there's huge hype around a particular technology. So I'm thinking Bitcoin, NFPSVR, lots of potential there, but often overhyped. A I though this this feels entirely different to me. It was just a few years ago that a I really started to impress me in its potential. Certainly put a a lot of research and effort building up the the capabilities within myself and my team and really gained an understanding that this is going to be an incredible potential to do great things that most of us thought would come about in the next 5 to 10 years. But what's really shocked expert technologists though is really just within the last 12 months we have surpassed the A I capabilities that we thought would be there in 20-30. So really, just despite all the hype and hysteria that that A I's gotten even more intense over the past year, I still don't think the world, most of the world truly appreciates how much of an impact AI is going to have in our day to day lives. And then of course with with every other technology from our past, both the good guys and the bad guys, they're going to find a way to make use of it. So on on the bad guy front, we are seeing already daily attacks against healthcare organizations using AI. Some of our clients are getting customized emails from scammers that will read through a public profile on, say, LinkedIn and pretend to be a friend on that page. They're going to use all the details on your profile to tailor that scam to to trick you the using the most likely scenarios that could come up with and offer just pennies for e-mail. I don't know if you've seen on some of the news headlines there's been some heart wrenching stories of mothers getting calls from their distraught daughters saying they've been kidnapped and they need to send a ransom payment to this this address. You know, the criminals are they're using a I they're using free voice cloning technology and using, you know, deep fake video generation to create really believable conversations or even video calls to help extort the money. So we we actually counsel our clients both in in a business and personal sense to establish code words with your coworkers and your family to help verify your identity. Because even with the technology today and its infancy it's it's very possible that the next call you get on your phone could sound just like your loved one or your your coworker asking for a transfer of money or or some other suspicious activity. And and while some of the the large A I services that that you see on the news open A I Google Bard they all have some security controls that prevent them from being used for evil. But there's unfortunately many ways the cybersecurity criminals have have found to either get around those controls or they've also built some powerful uncensored A I technologies that have those security controls removed. So again the the silver lining here is is really seeing the progress our cybersecurity community is making on these powerful new A I protectors. It can look through vast amounts of data much more quickly than a human can and identify and shut down some suspicious behavior. So a I is recognizing potential hackers in a network and crafting automated responses, all in less time it would have taken for a human just to even read that first security alert. And I'm sure many of us, myself included, we we're ready for the end of phishing and spam emails. And it's really great to see this latest generation of a I technology is is much more capable of detecting and deleting some of those unwanted emails. And then given some of the the tight budgets that we've seen in in many health coordinations, this this A I technology, even if it's current state. It's allowing, even as a senior junior security analyst, to be perhaps 20 to 50% more effective at their job when they're using a I to much more quickly analyze attacks and progress, or to help build stronger defenses into their networks than what they could have by themselves. So if you haven't checked it out yet, Microsoft Security Copilot, it's not generally available yet. But if you do want to see what types of capabilities and features are right at our doorstep, I definitely recommend checking out their demo. It's some pretty powerful stuff.

[Bob Kaiser 32:10]

I'll tell you what, it's a pretty, pretty scary world that we're entering right now. And we all need to be better educated. We all need to know more. We all need a guide. The old saying is, if you're going through the Grand Canyon on a Colorado River with your 10 year old child, who's the most important person in the boat? And most people would say it's the child. However, it's the guide. It really is the guide, the one who knows what's ahead and how to deal with it. Josh, thanks for being our guide today. We need guides like you. So in closing, what final words of advice do you have for our audience?

[Joshua Spencer 32:50]

Yes, I would definitely say cybersecurity is not just a concern for IT people or security people. It's really everyone's responsibility to better understand the threat and the ways that we combat it. And that's really why I'm so thankful that your listeners have taken the time to learn a little bit more about this today. You know, whether you're a physician, a nurse, a student, an executive, really any other healthcare professional, we, we all have a role to play in protecting our healthcare data and we really have to make cybersecurity a priority and not just a cost of doing business, but really an investment into the the trust and the safety of our patients and the community we serve. So definitely to to your viewers, I'd say stay diligent, stay informed, don't hesitate to ask questions about how your information is being protected.

[Bob Kaiser 33:40]

Well, thank you, Josh. We'll be sure to post some of these resources in the footnotes for the podcast. And it's been a great pleasure to have you join us. We'll have you back again in the future too as the world continues to change. Thank you. Thanks for listening to the Business of Healthcare Podcast. To learn more about the Center for Healthcare Leadership and Management, go to jindal.utdallas.edu/healthcare.