Originally Published: Mar 28, 2023
YouTube Video: https://youtu.be/cc5bgr2g2KI
See what's happening at www.healthimpactlive.com
Managing Cybersecurity as Digital Care Transformation, Growing Cyber Threats, and Regulatory Changes Converge
Healthcare delivery continues to be driven by the growth of data delivered through wearable and sensory devices. Such devices feed cloud analytic platforms and offer real-time EHR updates that providers and caregivers must be able to access anywhere. Yet, they also allow for more avenues for account and network compromise for threat actors targeting care delivery for ransom. As a result, regulators have increased scrutiny to ensure providers implement best practices to prepare for and respond to cyber incidents and that senior management and Boards understand and mitigate cyber risk. In this session, health system leaders will discuss the following:
Terri Couts, RN-BC MHA, SVP and CIO, The Guthrie Clinic
Matt Phillips, Associate Director Cybersecurity, Guidehouse
Steven Ramirez, Chief Information Security Officer, Renown Health
Neil Carpenter, Health Care Innovation & Chief Strategy Officer
Managing Cybersecurity as Digital Care Transformation, Growing Cyber Threats, and Regulatory Changes
Neil Carpenter: Hello good afternoon everyone. My name's Neil Carpenter and I'm excited to be with Health Impact Today and introduce an amazing panel of experts on one of the most important, but sometimes least talked about topics, which is cybersecurity and healthcare. So why don't I turn it over to Matt and we go around and introduce ourselves.
Matt Phillips: Thanks, Neil. Hi, I'm Matt Phillips. I'm a director at Guide House, which is a large consulting company, and I focus in their, the healthcare and life sciences payer provider area, focus on cybersecurity and risk.
Terri Couts: I'm Terri Council, I'm the Chief digital Information Officer at The Guthrie Clinic.
I'm a nurse by background and The Guthrie Clinic is a integrator health system in serves patients in New York and Pennsylvania and the northern southern tier of those two states.
Steven Ramirez: Steven Ramirez, and I'm the Chief Information Security Officer at Renowned Health out in Reno. So for all you bad skiers, thank you.
We again, are an integrated health system, much like Terri's that do focus on end-to-end medicine. We also have a insurance subsidiary trauma facility for the area and also have an affiliation with university of Reno Nova.
Neil Carpenter: Excellent. Thank you panel. Amazing discussion ahead. I'm sure.
Matt, why don't you kick it, kick us off talking about the cyber risk environment and your perception of cyber risk environment, and particularly how you think it will be changing in the coming years.
Matt Phillips: Well, I, i, a little difference between the risk and the threat. I'll talk a little bit about the threat environment.
I, you know, I, I won't quote a, a bunch of statistics, but I think what we're, what we all know in the healthcare environment today, that one, we're the number two industry as far as as the number of attacks and the focus of. Of the threat actor, right behind the financial institutions, and, and we see that continue to grow.
I, I don't think I can, I can give you every statistic in the world to go scarier, but we know that the threat is growing. It's more sophisticated. They'll always spend more money than we can spend to try to attack us. And, and we can't do anything about that. And, and the, the focus of the threat has really changed.
It's, it is. Just about getting that medical record and, and going and using it to, to do medical fraud or that it's really about impacting the delivery of care in order to gain mostly for financial gain. And so that's opened up a much broader group. Of attackers, not only nation state attackers, but anybody out there looking for financial gain who can go leverage a ransomware kit that's out on the, out on the dark web.
And so we know that healthcare is, is the second most attacked industry. We know that the impacts are greater because of ransomware, and we know that the. Those ransomware techniques are changing quicker than every time we can figure 'em out. There's a new one changing. So we have, that's the, in the kind of the threat and if you wanna say risk environment, but that's really the threat.
The risk side of it is it's a much bigger impact. It's the impact to care. It's the impact to, you know, clinical operations that has become the, the bigger risk side of the equation.
Neil Carpenter: And, and Matt, just as a quick follow up on the, given that we're the second most attacked industry, maybe you can share a couple of names of organizations who've been impacted in the last year or two by this situation that you can share because they publicly disclosed. I'm sure there's many others.
Matt Phillips: You know, they're out there. You, you hate to name names. Common Spirit is the one that, you know, probably everybody on this call is gonna gonna know from the front page and you hate to say it. I mean, they were impacted for a number of weeks across a number of health systems, across a number of states in ransomware.
And that just goes to show you that, you know, even a large medical organization that that has the financial wherewithal is, is. Capable of being impacted. And so, you know, that's one you know, you could probably name off a dozen others, but that's good. That's good. It's just, we know that it's small medical organizations and people looking for, you know, tens and tens of thousands of dollars in Bitcoin to those larger organizations where they're looking for millions of dollars of, of ransomware payments.
Neil Carpenter: So I know that one of my four organizations was a, was a victim, wasn't talked about, wasn't on the front page of the, but I, I was there, we were a victim too. So, as a follow up to that, because this is such a big deal and grown in recent years and I think there's a growing awareness of it, can you talk about some of the sort of policy and the regulatory changes?
I know the s e C is coming out with a big new risk disclosure for public companies. Can you just kind of address that regulatory environment brief.
Matt Phillips: I think because we all know what a critical part of the infrastructure healthcare is, we're seeing the government regulators r really finally, and, and I think this is a good thing, they're finally stepping to the table to try to help strengthen every organization in healthcare, especially the provider side.
And so I think that's what we're seeing in the regulation is. The help without, you know, in, in most of this regulations, there's not a stick yet. It's really there to help the organizations. You know, when you look at the amended, high tech Regulation that just came out last year. It talks about here are some best practices for healthcare.
The, the Health and Human Services 4 0 5 D task force has really helped kind of lay out here's some basic best practices that all healthcare providers should be doing based upon their size. And if you're, and if you can show that you're doing those things that they outline, then there's opportunities.
Speed up the investigation to mitigate the, the fines and penalties and those type of things, if you can demonstrate those things. And so it's not onerous. It's asking you about, let's look at the biggest threats and do these things that we know all healthcare organizations should be doing. You know, the proposed, if you're a publicly traded company, and the proposed S C C rules is really helping the CIO and the CSO because it.
Forcing senior leadership to engage, to be able to, you know, report on the risk program and the cyber program and the materiality of that program in s e c reporting and, and we're still waiting on that to finally come out, you know, the Healthcare Cybersecurity Act. Right. Came out and really focused on the 16 critical industries and said healthcare is one of them.
And so we want to increase the reporting around healthcare breaches. Standardize what's in those reports, get them into the cisa and be able to go help all organizations, you know, one, know about the threat quicker and be able to react to it and understand how to react to it. So I see those things all as.
But they do have an operational impact, not only on the, not only on healthcare organizations and those, and those that are on the front lines, the cio, the csso and their teams, but also senior management and, and kind of pushing them to engage and to help those teams understand what needs to be done and how do we, how do we go about reporting.
Neil Carpenter: Yeah, Matt, that's great. But as we're talking about senior leaders, I would love to bring in Terri and Steven into the conversation and talk about what you think are the perceptions today of this issue, the cyber risk, cyber threat inside organizations, maybe at other providers you're in, because I know we hear are all like drinking the Kool-Aid, but what's your view when you get outside of these nerd panels?
You know, what, what, what is the perception out there among, among stakeholders?
Terri Couts: Yeah, I think there's various views but primarily if you're looking at the provider, It's like putting a teenager behind a car and telling them not to use their cell phone, right? They think it's, it's not gonna happen to me.
You know, you don't know what you're talking about or the role that they play in the situation. And I, and you know, now that's not everybody. I am fortunate enough that I report to a CEO that has experienced a cyber attack and felt. In, in a real time and knows the impact that it has to patients.
So it just depends on their experience. But I would, I would think that most Providers are not aware of, of the threat that can happen to them directly. I also feel that, you know, they, they kind of think that this is an IT problem. We've gotten really good about down times when we're doing system upgrades or, you know, responding to incidents that are non you know, cyber related and you know, they, they feel that we'll just get it back up.
And they don't understand, again, their role in, in, in really continuing the business and the care that the patients deserve depends on their ability to adapt to that outage and that that outage can be. Several weeks as noted by Matt with, with Common spirit, but then also, you know, other organizations that have been, you know, four weeks, six weeks, eight weeks out.
And you know, so I think there's a lot of misconceptions that this is something that is a fluke. And that won't happen to them. And it's our responsibility to.
Neil Carpenter: Steve, do you have comments on that? Is anything, anything that you have any differences? Is, is your experience pretty common to that?
Pretty similar to Terri's,
Steven Ramirez: I think. I think that's pretty similar. It, it's all dependent on the users. I think we're seeing we're just looking at creative ways for our nursing staff because again, I think every organization is, you know, stretch really thin on nursing shortages, staff shortages that were brought on by Covid.
So I think that at the top down they really get it. You know, you're presenting to the board, you know, they understand their risk, but still lot of those board members have been involved in that. We're starting to see a lot more of these lawsuits, class action lawsuits. There's already been two slapped on Common Spirit.
So I think that they're really aware of that with. Cyber insurance and a lot of that, your cm i o, your more technical groups. But again, to Terri's point, it's about just educating that it, you know, takes the whole community. It takes everybody within the organization. Cyber's not just it's job. And I think that that's that continued education that we do have to have and it, our end users are our biggest risk, which we'll see.
Phish is the most, you know, effective mechanism, you know, multi-industry. Yep. That's how they're still getting in. So yeah, it's, it's a continual battle to let everybody know that it's here to operate the system. Security, you know, is a subset of it, but again, we're here to protect the organization with people, process and technology.
Technology is just one of those pillars. So again, it takes, takes a village to be successful in this.
Neil Carpenter: So, just kind of sticking with Terri and Steve for a second. While we, while we have the challenge of sort of like a broad stakeholder environment who have very diverse and different sort of priorities as a DA on a day-to-day basis, on the one hand of the stakeholders, on the other side is frankly the most challenging economic environment in some cases for providers that I've ever seen in my career.
Other people who, who are a little older than I am even have said the same. So, You know, I, I've been there through tough board and budget battles myself, but man, that was a better economic time. So how are you addressing, how, how do you think organizations are addressing that today? You know, and, and to be honest with you, yeah.
What, what do you think about that?
Terri Couts: I think a year ago or two years ago, it, it, it was an easier conversation because we really didn't feel the true impacts of the workforce shortage in covid. Now that the CARES Act funding is, is gone and we're really not. We, no one really thought that, that the financial burden would continue this long.
Yeah. So I think it, it's a different story today, but what we do is we, we analyze the, the likelihood of impact. And what we can do to mitigate that. And then the cost if we don't. So we know how many patient records we have. We know if what a downtime is. We know how many visits, and we put a number to that and we educate that if we don't do X, y, Z, this is the risk that you're taking and this is the likelihood that this is going to happen and this is the impact.
And a lot of times it's, you know, five, six times. What the initial investment would've been if we would adjust, prevented it to begin with. So that's the approach that we're taking. We, we update that on a quarterly basis. And we you know, we, we manage it like a program instead of a project. And, and just course adjust as the environment changes cuz we know that that's not steady state.
Neil Carpenter: Steve, I know you're always bating second seemingly in our, in our question lineup. But do you have any, do you have any comments on that from your perspective?
Steven Ramirez: N no. I mean, Terri hit it on the nail on the head on that, but it, you have to take a risk based approach. There's just so many things that can happen, so many things that can go wrong in an organization and.
I think it's just you're one hand with, you know, many others at the table asking for funding. You know, people need their new MRIs, supplies have gone through the roof on trying to get that staffing that we're seeing a majority of our funding go towards travel nurses and, you know, trying to get supplemental staffing in some of those shortage areas.
You know, the cost of a bandaid has gone through there. Roof just with supply chain short, everything associated with that. So I think that that is problem. And even, you know, as a precursor to the question before that it again it's educating our team and then using that risk-based approach to say you know, this is what's going on in the environment, the headlines, you know, you could always scare people to a point, but that's not necessarily always gonna open the wallet per se.
Yep. But again, yeah, we just like to again, drive that home and then say that this. The ROI to really show that, show metrics to say, this is where we invested in. We know it's expensive to run a cybersecurity program, but this is really the ROI that you guys are getting from that to to, you know, attack toward it.
You know, events that could have happened that, you know, this happened. And really being a storyteller like this happened at Common Spirit. This happened at Tallahassee Health recently to really say, and this is why we're investing in these precautions. This is why we're doing these training mechanisms to really, again, paint that picture that you are.
That money in the right way. It's like car insurance. It's again, like if you don't have it, you're hoping that person ever runs that red light and hits you, but you're gonna sure be happy that you have it when it
Neil Carpenter: happens. So, Matt, I think you wanted to chime in.
Matt Phillips: Yeah, and I think, you know, we're seeing across the board where there's still an interest in investing in cyber security.
I mean, healthcare organizations have spent a lot more over the last five years, and those board and senior management are still willing to spend in, even in an environment where they're trying to figure out. How do we survive over the next, you know, two to three years to get past this hump? They're still willing to go support that CISO on their spend, but what we are seeing is a little more, right, how do we spend more effectively and tell me what are we getting on the return, or what did we get for what we invested in in the last two or three years?
W when, you know, they're, they're sort of kind of getting to where it's wins enough. And I think that is a, a continual, as, as Steven said, it's a continual conversation back and forth and really being able to paint that risk picture and, and Terri pointed it out, it it. The impact is so much greater these days.
If I'm trying to, to fill a $200 million hole and I'm looking at revenue cycle, or I'm looking at other things I need to do to go grow my business, and all of a sudden I'm hit with ransomware, that's now, yeah, you know, on the surface, a, you know, multimillion dollar, if not tens to a hundred million dollar problem depending on your side.
And then all the work to go deal with the legal, regulatory, all those other things, it can take everything you were trying to do to short your business and now flip it upside down. So it's always gotta be there and you gotta think about and really be able to measure that, that risk to make the right decisions and continue the right investment.
Neil Carpenter: Yeah. So actually Matt, right on that point can, can you maybe highlight two or three things that you've seen recently that you think are the best r ROI investments people have been making. And can you talk about just like a little bit more granularity on that, on that return piece? Yeah. You know,
Matt Phillips: and, and I'm going to, and, and this is gonna sound like a broken record.
But when we l when we come in and generally, you know, we're coming in on the back end of a strategic advisory for Yeah. You know, the healthcare practice itself and we're coming on the back end or, or a tag loan to go take a look at the program. And, and every programs has, third party comes in, they do a one-time assessment, they find a bunch of risk, and they, you know, put 200 risk on a spreadsheet.
And, and now they, now it's just o and the CIO have to react to it. And, and so they spend a year react, getting, funding, reacting, and next year they get the same thing. And so we come back to almost always, there's three to five things you could do to lower your overall risk and to be able to focus on the critical things.
So it, it comes back to basic hygiene stuff. Know your assets. Right it, you know, make sure that you've got a strong I T S M system so you know your assets, you know your data flows, you know those things on your network. It's do patching and vulnerability management. It's focused on, you know, your identity and access management program.
And there's a million ways to follow that. But if you really do those three to five things and make sure the tools that you have are fully integr. Then you can have the room, both people, process and technology to react to the, the environment or the big next thing and be able to, and be able to react to those five or 10 critical risks instead of having.
A hundred high risk, right? So focus on those things. Focus on integration and focus on basic IT hygiene, and getting rid of operational debt. That's always the answer upfront. Now there's nuances, but again, if everybody did those things and they integrated the tooling that they spent money on, you'd see the overall risk posture of the organization lower significant.
Neil Carpenter: I think it's overall, it's just sort of a principle of strategy. If you have a lot of priorities, you have effectively none. Right. Terri, were you gonna jump in?
Terri Couts: And also say some of the simple things like, you know, Phish campaigns and, and things like that can, although it seems such, such a low hanging fruit, it really is very impactful.
And, and we do it around, you know, open enrollment. So we'll send Phish campaigns around. Yeah, it looks like open. So, so not that we're trying to catch everybody, but that they can understand how to identify the difference because. Typically how you know, we get compromised is that somebody lets their guard down.
And, and spending a little bit of money on education and, and, you know, making sure you have a strong framework to show the data around that I think is really high, highly valuable.
Neil Carpenter: So, let me, let me direct the next question to Steve, which is, we, you know, we've talked about some great areas of return on investment and some of the tough stakeholder management we have as, as a person is sort of an interface between a lot of different points here.
Steve, what could the people who are dreaming of new companies and new technologies and new products, what could they bring you tomorrow realistically, right? That could make your life easier that you'd wanna champion through the organization?
Steven Ramirez: Well, there's no silver bullet for anything.
No technology is ever gonna take away human error. Sure. I think there's a lot of opportunity. AI that we're already seeing that, I think that's one of the emerging means that in automation, so soar, which is security orchestration, automation response with staffing shortages we see and with just so much volume and dependency on technology embracing technology.
To see where we can better use that. And I think that's the, you know, tip of the spear. Items that we can really focus on. Again, automation, early detection, you know, a lot of what matted alluded to. Sticking to the fundamentals and controlling access as you see on all of this, that, you know, fishing's usually the way they get in.
And then it's a compromise. Account so we can really lock down access. And, you know, the, the buzzword Zero Trust really embrace the fundamentals of what make up zero trust to really control that access, privilege access, multi-factor authentication, that there's still people that aren't doing that, you know, after.
You know, years of, you know, preaching of doing that and then, you know, getting creative and fun with training and awareness that I put on a spam costume, you know, for my board to again, you know, remind people about what to look out for for spam and fishing. I've had my team go around and, you know, put in fisherman outfits.
We've, we've used the home alone scene of, you know, the we Bandits trying to get into Kevin's house and, you know, his defense in depth is a way, like, we're trying to keep the bad guys out and that's like the investment.
Neil Carpenter: I love the physical extra mile to get attention. I mean, you're just like, there is no way that I won't, nothing I won't do to get the job done.
I love that dedication, man. Terri I won't ask you if you've dressed up in costume to try to properly get attention on an issue. But is there any other comments you wanna add to that or, or, or, you know, things you wish were, you were brought by people in the community that would help make your life easier that you would, that you'd want to?
Terri Couts: No costumes here for me. However I I would answer that question a little bit differently in, in that, not necessarily new cyber tools, but as we have vendors who are developing that are trying to solve use cases around workforce shortage or, you know, Automation in other areas that they come prepared into the table to be a, a partner in the fact that they own the risk too.
And that this is not just you know, something that is directly on the healthcare providers that, you know, they, they, they take the seriousness and the development around those tools and making sure that they can also protect. Cuz a lot of times, you know, there are third party Gateways that also, you know, impact health systems in, in a very meaningful way.
And, and we address that through our contracting rate at the beginning. And so we, they don't even get to the door if they don't have the minimum requirements. And, and, you know, we, we kind of get seen as the bad guy because we're holding up something that either research wants to do or but, but really we're, you know, trying to do what's right for, for the organization because in the, in the end, we're the ones that are ultimately,
Neil Carpenter: Steve, do you have comments on that and then I've got a follow up?
Steven Ramirez: No, I mean, Terri hit on something that's probably the most important thing. One of the biggest things outside of access and early detection we're getting at is third party risk management and working with your partners because again you can do everything right organizationally with your training and awareness, your controls.
And then the third. Can, you know, have your account compromised. So that's something too that we're, we're doing on the msa. We're adding security addendums really making sure we're going through and getting a lot more thorough. And looking at creative ways on, once you give data out you know, you're protected by a baa, but is there ways that we can de-identify and get back to, you know, the fundamentals of that to better protect our organization is the upfront.
And again, making the tough decisions. Like Terri said, you know, do you guys have backup vendors to this? Like if these organizations aren't willing to. Utilize proper security hygiene. Is that really the risk we want to, you know, bring into our organization?
Neil Carpenter: Yeah. And, and I think it's actually particularly opportune with the number of big in-person events out there and the number of people who were in a very competitive situation around a lot of solutions and the capital environment changing.
People are gonna be really frantic to sell things to your organizations like Fast, like tomorrow, right? And so they will be hyper aggressive with their sales tactics. Maybe if we can just circle back to this for a second. Can you maybe just say, here are the two things, whether it's certification or a rule, even at the phase of being a little repetitive here, a certification, some rule, some function that every single vendor should have before, in your ideal world, they'd ever open a mouth to somebody who might be a buyer at your provider.
Terri, do you wanna start on that?
Terri Couts: So we have minimum requirements from insurance liability. I. And then we have we have a requirement for for the vendor to also have some sort of SOC two or something of that nature where you know, they're also actively monitoring. Those, those are probably the two highest.
And depending on the type of vendor, there could be several others, but that, that's where we start.
Neil Carpenter: Okay. So that's a filter. If you don't have that, you want people to steer clear, right?
Steven Ramirez: Strong access management. Again, that's what we see on just open-ended VPN or kind of unorganized structure on how they want to connect.
So standardization and strong access controls and then agree SOC or high trust people wanna do business with healthcare. You know, again, show us the fundamentals to that. Cause that's pretty thorough and healthcare focused outside of just, you know, the generic nature of soc. But again, show us generally when we're doing those security reviews.
I'm not sure Terri would agree. There's a lot of organizations that still don't have any certifications. So that's the ones you're gonna have to put through the 500 questionnaire ringer versus organizations that do have those certifications, show that they value security or investing in security because we know those are very tedious and we can have more targeted questionnaires than people that actually have those assessments
Terri Couts: and verifying that what they say is actually correct, because sometimes they say something.
Neil Carpenter: Really, really? I'm shocked. I'm shocked, Terri. Okay. Matt, you wanna chime in? Yeah, I,
Matt Phillips: I think, I think Terri and Steven have it. Absolutely right. But along with that is understanding the scope of what you're asking them for because we, a lot of vendors can, can have certifications and they can be scoped for something you didn't buy.
So that's really. Part of that, making sure that you've got a close relationship with your procurement and legal organization so you really understand the scope of what you're buying and, and what they're delivering and those certifications and processes apply to what you're buying. So that scope is, is a critical piece to it.
Neil Carpenter: And, and I just would think that in this vendor environment, there may be a lot of pressure for sales, but it also means you're gonna have a lot of.
As provider organizations on who you work with, and you can really effectively use this as a way to weed out people who can't meet your standards because they're, they, they need your business a lot more than you need their business so to speak with this current environment. So, I know we talked about Steve's willingness to dress up.
We know we talked about some of the ROI calculations, but is there, maybe can we just also circle back and say, you know, for every panel. Tell me one thing that you think is an effective tactic for communicating this issue to very busy, very stressed stakeholders. And let's start with Steve.
Steven Ramirez: Make it simple and show maturity.
So put, there's a lot of components that make cybersecurity so boil that down. Know your stakeholders and provide meaningful metrics to show what the risk is, the plan to remediate that and the progress in stakeholders. To drive that to a tolerate or a tolerated level or accessible level.
Terri Couts: Terri, I would say use realtime examples.
Make it something that they can relate to. We had a recent event where we had an internet outage in a, in an area that they didn't have phones and then Epic and in all of the services that they use to provide patient care. Although it wasn't cyber, it was, it was a good. Good example to show how the impact of not having these systems can impact the, the ability to deliver care.
And the, you know, their, their their way of actually contributing to knowing their downtime procedures, knowing how to facilitate communication and those kinds of things.
Neil Carpenter: Finally, Matt, do you,
Matt Phillips: I, you know, I think the biggest challenge is staying away from the technical details. I mean, we all, we all like to, to get into the bits and bites, but stay away from the technical details you gotta put.
Those risk in business terms and you have to have metrics that are understandable in business terms. They can't just be in, in, you know, your detailed operational cyber metrics. I think those belong with, with the IT side, you gotta get around it and say, this isn't just an IT problem, it's a business problem.
Let me put it in your terms. And a lot of times that is a process that is, that takes a number of cycles and it's a partnership with, with. Other parts of the business and Theso and the CIO to really come to understand those terms together and then do it consistently. Right? Bring that up consistently.
Don't throw something at 'em new every single time you have that conversation, but show 'em where you're making improvements based upon the things that outline risk for you that you've agreed upon. So, and that's, that's a, that's a learned process and it generally, It's different with every organization, but it, if that partnership happens, you can
Neil Carpenter: get there.
Yeah. And, and just because I, I, it looks like I've got time to squeeze in one more question. We talked about workforce challenges. We talked about financial challenges and we'll leave this open to anyone who wants to, who wants to respond. You also have your own workforce. You know, you also are competing for talent.
There's a lot, this is an incredibly growing need. Not only just this industry, right, but other industries. So maybe can any of you comment about your ability to kind of recruit and retain the talent you need to be successful in your organization and any tactics or ideas you have around that?
Terri Couts: For us, I mean, we service a rural community.
It's very hard to recruit to, and, and, you know, not to add to the complexity of just these individuals being high in demand. So we recruit and allow for telecommute. Yeah. Anywhere besides a couple states that have, you know, kind of labor restrictions around some of their the human resource restrictions.
So, I mean, we, we have opened it up and allowed people to work. I mean, we have people in North Carolina, people in, you know, Denver, some other states that That has allowed us to get good talent. And we also look at, you know, individuals that we can that have the, the capacity to upscale somebody who's really interested, that wants to learn, that can continue to grow and get certified and we can provide that for them.
Neil Carpenter: Steve, do you have a comment
Steven Ramirez: about that? Yeah, a lot of the roadmap that Terri had put together as well. But we also leverage a lot of managed services just to be a stop gap to ensure continuity on that. But we do have a, you know, we'll send our team to conferences, we'll, you know, ask 'em what their three to five year roadmap is.
Cuz then that shows, you know, their investment in our organization for certifications. They want shows, they want to go to additional education and we're seeing a lot more organizations do that. Not only. Shared services, but also the clinical staff as well to really ensure that retention, because the market is a lot tougher to keep people.
And that turnover really cripples organizations, especially in it securities that, you know, does have those higher touch and system builds. So couldn't agree
Matt Phillips: more with Terri.
Neil Carpenter: Yeah. And then I actually wanna bring that question along to Matt too, because Matt, at the end of the day, is also fighting for talent.
You know, there's lots of people even inside Guide House, who I'm sure I'm trying to steal your people every other day. So, you know, what do you wanna comment on about your, how you're attracting and, and, and getting the talent you need?
Matt Phillips: To succeed. I, I think it really is focusing on the, the critical roles and as, and as Steven says, find those partners who can do the mundane things and, and leverage them.
I won't say mundane because they're still very technical, they're own. But who can provide those services that aren't critical for your organization? I think if you know you, you gotta focus on those half dozen critical positions and then, you know, give 'em room to grow, help 'em grow, don't ever hold 'em back.
And because they'll, you got people always go chase money and there's a lot of money in the market today, but it really is about creating that work environment for those critical folks. And I think leveraging, Service organizations who can come in and handle the project stuff. Don't get, don't get your people who are critical, stuck in a million different projects that have a beginning and an end.
Let them be the continuity across all of that and leverage managed services where you can, that makes sense for your organization. And again, re recruit in every conversation you have. You, you shouldn't have a conversation with anybody if you're not, if you're not recruit. I,
Neil Carpenter: I agree a hundred percent and I would actually say that holds true whether you're in cyber cybersecurity or anything else nowadays.
So I, I wanna thank the panel for an awesome educational discussion. I know, you know, in some days in 2019 there was a lot about pandemics we never discussed that we should have. So I think it's so important this is such an important C level and board level issue. So thank you very much everyone.