Calling in the Cavalry: A CISO's Perspective on New Federal Cybersecurity Guidance

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

Breaches and ransomware infections are hitting healthcare hard alongside the critical supply chain that helps keep healthcare operations running. The federal government has been issuing a flurry of guidance, executive orders, draft regulations, diplomacy, and more to try to kickstart our national response to the cyber crisis. We are calling in the cavalry, but will it help? 

In this episode of The CyberPHIx, we hear from Steve Dunkle, Chief Information Security Officer for Geisinger Health System 

Steve is one of the country's leading cybersecurity healthcare leaders and we get his perspective on some of these federal updates and proposed changes to see how they fare in terms of providing meaningful support and guidance for healthcare organizations. 

We discuss new federal and standards guidance and related trends including: 
-

  • NIST’s “Bad Practices” cybersecurity guide for end-of-life devices, default passwords, and single-factor authentication 
  • Ransomware guidance from the NSA, FBI, and CISA on stopransomware.gov 
  • Third-party risk and supply chain risk guidance and pending regulations 
  • Strategies for CISO executive success including focus on customer service, strategic thinking and planning, networking, and continuous learning 

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:20] Hello and welcome to the CyberPHIx, your audio resource for information security, privacy risk, and compliance for the health care industry. I'm your host, Brian Selfridge, and in each episode, we'll be bringing you pertinent information from thought leaders in health care, cybersecurity, and privacy. And in this session, we'll be speaking with Steve Dunkle. Steve is the Chief Information Security Officer for Geisinger Health System. Our session today is titled Calling in the Cavalry The CISOs Perspective on new federal cybersecurity guidance. Breaches and ransomware infections are hitting health care hard, along with the critical supply chain that helps keep health care operations running. The government is swooping in with reinforcements and guidance to help the industry respond to these cyber attacks. Well, calling in the cavalry. But will it help? We'll find out today in our discussion with Steve to gauge his reaction to all of this federal cyber support. Now, let's dive into another great session with another amazing guest, Steve Dunkle.

Brian Selfridge: [00:01:25] I'd like to welcome my guest, Steve Dunkle. Steve is the Chief Information Security Officer for Geisinger Health System. Geisinger is one of the nation's premier health systems, and they're based in Pennsylvania, where we're based as well. So glad to see some locals support here. Steve has over 30 years of experience as a health care cybersecurity industry risk and compliance leader. Prior to Geisinger, Steve has served in leadership roles with Dow Corning Corporation, the Fleming Companies, American Fidelity, Sallie Mae, The Mosaic Company, and much more. I'm excited to be speaking with Steve today to get his perspective on the myriad of new cybersecurity regulations and guidance hitting the market at a breakneck pace over the last several years. We'll get Steve's take on the directives from the White House, guidance from the CISA, FBI, NIST, OCR, and lots of other federal acronyms and agencies. So, Steve, thank you so much for taking the time to join us on the CyberPHIx today.

Steve Dunkle: [00:02:21] Absolutely good to be here, Brian.

Brian Selfridge: [00:02:24] Great. Well, let's get into sort of the topic here today that the breaches and ransomware infections are just hitting health care hard these days. I don't have to tell you right with the critical supply chain that and it gets getting attacked and helps keep our operations running. And it's just been brutal. So the federal government's been busy, I think in a good way at helping us issue a flurry of guidance, executive orders, draft regulations or floating around. We've had diplomacy with Russia and others and more to try to kick start our national response to the cyber crisis. You know, it's one of our country's leading health care CISOs. You always want to get your perspective on some of these updates and proposed changes and see how they fare in terms of providing actual, meaningful guidance and support for organizations like yours, you know, that are on the ground trying to actually battle this stuff. So I want to start with one of the more entertaining pieces of guidance. I think that that NIST has put out recently and I say entertaining because it's called the Bad Practices Guide. You know, there's so many like best practices, so many good things, but they've gone out of their way to say, we're going to tell you the guidance of what not to do with your cyber program. So I'll run through. There's three major areas I want to get your thoughts in these. The first is we are not supposed to use software that is end of life and therefore unpatched or vulnerable. So what are some of the challenges that health care entities face in achieving this objective? And how do you think we can actually get this address to get some of that end of life equipment off of the off the network?

Steve Dunkle: [00:03:48] Well, I think there are two parts to that at a high level. One is definitely more partnership with our vendors if that's purchased software or solutions. Obviously, there's nothing new to this directive as far as we've known for many, many years, that unsupported software is never a good thing. So working with the vendors, and I'm sure in your travels you see it a lot in the medical device space. This is a fairly significant concern. The other side of this is to take it off the vendor side and more. Look at the actual organization and think about. Obviously, budget is always important, and so many of these solutions are no longer supported. It's the solution itself, it's not the vendor, and what it comes down to is the vendor will provide a more updated and let's call it secure version. However, at a cost and they have to run their business, too. We all understand that. But organizations, Geisinger and beyond, we all need to realize this is part of the times we're in and there is cost to staying ahead of the curve on this case. The threat curve and recognizing that and individuals like myself, the burden is on us, as it should be, to justify why we need that spend and why it's important to our patients and the organization. But obviously the game changer here, I think we all realize in health care, probably in manufacturing and others also is the patient safety or human safety aspect which comes into play. So, so it's a tough one. I think the vendors are getting it. They're trying to support, provide supported systems, but the organizations their customers need to understand, there's a cost with that.

Brian Selfridge: [00:06:01] Right, I guess we can't just buy another new million-dollar CyberKnife every year as the software update comes out, you know, to patch it.

Steve Dunkle: [00:06:09] That's so correct.

Brian Selfridge: [00:06:12] So let's talk about this second bad practice from NIST and that is around the use of default passwords. So this may be a service accounts. This may be default vendor accounts. I suspect there's a whole lot of places where they may apply. So what are what are the types of, you know, when you see that word default account, what do you where do you think that is in play in health care organizations? And how what are some things we can do to get rid of those default passwords?

Steve Dunkle: [00:06:38] Well, one thing I kind of chuckle again this morning while we were preparing, I went out and read the articles and I laughed because that one's been on my radar for. You mentioned the 30 some years, so this is nothing new or earth shattering, but. I think again, working in partnership with the vendors, but also within the organization, saying it's not tolerable in today's world to use default passwords. It just is not. I'm sorry. And that's probably going to lead into another topic. We're going to talk about it with multifactor authentication, but I see it as a two way street number one and working with the developers or the or the vendors to make us aware of those points where there are default passwords. But secondly, within the organization saying No, it's a discipline, we cannot have that and we need to change those. And we also have to have tools, as we all know in the privileged access management commercial space, to help support that. But in today's world, that's low hanging fruit in my mind. You just do not tolerate it.

Brian Selfridge: [00:07:57] Right. This is like those never events in the clinical setting, like you should never cut off the wrong leg. I think there's like a list of them. We need our do. We need a never list. Maybe that's what the bad practice guide is for us.

Steve Dunkle: [00:08:08] Yeah. And I think that's what NIST was getting at is these are I don't mean to belittle any anything or any one, but these are pretty much common sense stuff in my mind. And just to your point, I think it's entertaining the way they presented it.

Brian Selfridge: [00:08:25] Well, you mentioned the two multifactor authentication, let's go there a little bit, because that is the third area that NIST called out as a bad practice or a never event that we're reframing it. So are we still seeing single factor in use in health care, particularly for external access, I guess is really the primary use case? And what are some of the challenges that you think are keeping health care entities still being unable to get to that multifactor authentication place?

Steve Dunkle: [00:08:50] Well, obviously there's a usability or possibly a perceived usability issue with it. We know that multifactor has gotten much easier than in the past to use, but it's still and I get it, some of our physicians, when they have an emergency, they need to move quickly. But in my mind again, there are certain things an organization just should not tolerate my opinion. And one of which is especially externally facing multifactor. In my world has to be there. If it's not there, you're going to get a very abrupt reminder very quickly about how vulnerable those systems are. And again, in my opinion, it's very high risk, especially if you have a high risk system exposed to the outside. But even on the inside multifactor is just, I'll call it, the modern way of doing things just to should expect it.

Brian Selfridge: [00:09:56] Yeah, I think there's a lot of we may get to this later, but there's a lot of draft legislation. The House has put out five different bills on cyber. There's the industry groups like PCI and others that are all now. It looks like multifactor is going to be a requirement from a regulatory perspective, at least certainly the standards bodies are getting there. Do you see that trend as well? Would you be surprised if there was a hard requirement for multifactor four for external access as part of a, you know, a regulatory approach?

Steve Dunkle: [00:10:22] It's probably coming, and I think a lot of the goals of folks in my position is to stay ahead of that because we know and have known for quite some time that multifactor is a necessity. So if the regulations go into place, one would hope many of us won't have a big deal with that because we'll already have it. Now I know that's that's tougher for some organizations to do than others, but definitely my advice is, you know, anything critical, especially if it's facing the internet, if it's not MFA again, you're going to get that phone call at some point and you're going to have a bad week.

Brian Selfridge: [00:11:09] Hopefully, it's only a week. I think some of these events run like the better part of a year, it seems right. Well, I'd like to switch gears with you a little bit, Steve, and talk about some of the guidance out from the CISA, say NIST and FBI on ransomware specifically. And it's hard to get through a conversation in twenty twenty one without talking about ransomware. And this is another one. It's just the elephant in the room so that the those groups all had had sporadic different guidance out. FBI put their alerts out and CISA was doing their thing. And then they wrapped everything around this one stop shop of stop ransomware dot gov. This year. So I wanted to see if you been familiar with that, if you had a chance to look at that in your travels and is that resource useful for you? And sort of what type of guidance is there for that might be helpful for CISOs like yourself?

Steve Dunkle: [00:11:56] Well, as you said, Brian, the part I do like about documents like that is it reinforces your thought and occasionally, you know, I don't want to sound purely arrogant here, but it does reinforce your thoughts that, yes, I'm going down the right track and occasionally there will be something there that is thought-provoking and you pursue it. But again, I would argue a lot of this is just common sense for a security professional. Anyone that's familiar and most of us are with NIST the standards like eight hundred and fifty three and things like that. It's not the end-all solution, but they're certainly, I'll call it a common body of knowledge there that. Folks in our profession should be aware of and on top of.

Brian Selfridge: [00:12:50] Are there any ways that this guidance falls short of expectations, is it too low common denominator and common sense? You know, would you be better off having more prescriptive guidance or are there any ways that you could see them making this, those types of documents better, more useful?

Steve Dunkle: [00:13:07] Well, I think when you say prescriptive, maybe, but to some degree, I would argue that's why security folks are in organizations where the prescriptive part, the guidance is great. But it's our job in my mind to make it fit the organization. And it's one of the things I've loved about the profession through the years, because I do view it as a chance to be innovative and take that guidance and take that knowledge and fit it into work for the organization. So again, I'm not totally against the regulatory environment, but I sure don't ever want to be at the point I rely on that to do my job. That's not safe for anyone.

Brian Selfridge: [00:14:03] Now, do you get much? So there's this sort of guidance that's put out by these organizations, do you get involved in sort of working with your peers and understanding how they interpret it for their businesses are their resources or forums or places where you go to have that kind of conversation so you're not having to reinvent wheels every time out?

Steve Dunkle: [00:14:24] Yeah, and that's definitely one of the things I would strongly advise at this stage and in our world, there are two critical parts in my mind that maybe haven't been as is evident in earlier years. One is the idea that you cannot live within your organization alone. You need it again, all my opinion, but it's very critical to get out to network, to talk with your peers, and as part of networking, do a lot of listening. But in my world, I've gained a lot being involved with the Health Sector Coordinating Council, which is part of that is a joint cybersecurity working group. This is all part of the HHS, I'll say, sponsored or supported function. But the working group has done a lot, just as its name implies, to develop some very good guidance of its own us to some degree duplicative of like NIST or the high trust initiatives. But it's written more at a seesaw to see so level sharing of information. The other group I've really gained a lot from the ones I'm involved with is what's known as the 405 D Task Group. Many of us have heard of the health industry cybersecurity practices that came out of that commonly known hiccup document. I see that showing up more and more mentioned in the regulatory spaces. So those are ones, but also just actively through time or what or whatever or in my world employees I've worked at it with, at other organizations, just working with them and, you know, getting the sharing, information sharing, ideas, sharing.

Brian Selfridge: [00:16:34] Well, we certainly share that philosophy with you, especially the listening part. All of our podcast listeners are hopefully partaking in that right now and learning from you as we go. So that's another forum for them to tap into some intel. Now I want to talk, I want to talk, Steve, about supply chain risk a little bit here because there's been a lot of action from the federal government on supply chain and third party risk in particular. So the White House issued several executive orders on supply chain risk earlier this year in response to the string of attacks against Colonial Pipeline, Kaseya, SolarWinds, Microsoft. I can't even keep up with the list anymore. There there's also been guidance documents put out by the CISA on securing managed services providers specifically, I think, also addressed to those same breaches, really. And then NIST added, the supply chain risk at eight hundred and forty three, which you mentioned earlier. So that's a total domain. It's own domain now, which all makes a lot of sense to me. But I wanted to get your thoughts on, you know, when you see this much action around the supply chain around a particular topic, it usually is a precursor to regulations. We talked about that a little bit earlier. Do you think regulations on supply chain might be warranted in this in the coming three to five years? And what might they look like if they were to be designed to be useful regulations or even guidance in third party risk? What would be helpful for you?

Steve Dunkle: [00:17:55] Well, I definitely think that because this involves many parties and the whole supply chain thing is definitely a wake up call. I think we're just starting to see the tip of the iceberg on that. But when you have multiple parties and it chains down party one as a vendor or party to which again, the whole supply chain depth, when you get that level of involvement, I think then yes, regulatory regulations and law. Does fit in there is sort of to, you know, rules of the on the play playing field. It just to me, emphasizes how important it is for security professionals to spend some of their time. Thinking not just about what's there today, but, you know, putting on the other hat and saying if I were to attack an organization. What are the ways I would come at it? And when you think about it, especially buried down three or four levels in a supply chain, what better way in SolarWinds look at the coverage they got out of that they've been meaning the other side. So yeah, I think regulatory is going to come into that. But also security professionals need to be doing a lot of research in this area and thinking about it and working within their organization with the procurement folks and the if you have a chief purchasing officer and things like that certainly be having discussions with them and collaborating with them and partnering with them.

Brian Selfridge: [00:19:43] Have you gotten anything out of this, the guidance that's come out, I had listed that whole menu of standards and guidance that got put out in the last year or two. Has all that been also sort of common sense in the sense that you've been doing these things all along? Or did you get any nuggets out of that that you were surprised by or found useful?

Steve Dunkle: [00:20:01] Oh, it's a lot of it is things that I, you know, have crossed over in the past. I've a lot of my physical security background has paid off in this area. But the thing I think is number one, the partnership. But secondly, I didn't hit home with me. The total coverage, for example, Nation State. The total coverage they could get if they had a very large supplier and not only the means of hitting those suppliers because of the depth of the supply chain, you know it can involve hardware, obviously software firmware, just different ways that they you know that they could get into an organization that at least I have never really given a lot of thought to. We've been so far focused on threat detection and in the old days, intrusion prevention and all that. And we all know none of that's material in the supply chain attack. So if we're not unnerved by that, that's a worry in its own right.

Brian Selfridge: [00:21:23] We're unnerved, I think as it's a prerequisite to the security role is to be unnerved, to lose sleep, and to worry about things that hopefully others don't have to think about. So you mentioned, look our job is to look forward and to anticipate some of these threats and get out in front of it. So what are some things that you were either doing now or if you look out in the two to the five-year predictive road map, what are some things do you think organizations need to be doing around third-party risk? Maybe that some are starting to do now or we need to be doing more of them? Or there are things that we aren't doing at all today that we need to need to start doing and any recommendations you have there.

Steve Dunkle: [00:21:59] Well, definitely a heightened awareness. And within our organization, we're starting that now. Again, as a mindset change for some of us that haven't been in global corporations or have, but are not now definitely a global perspective, but also think of the depth. Well, and how all these pieces fit in together with a final product, you know that you get. And then you look at the different attack vectors with all the IoT capabilities developing, and it definitely you're going to have to widen your scope significantly and widen your create or push your creative mind to think about these things. And one of the things I found in my career is the last five to 10 years. I spend more time on research than I ever have. And that's probably, you know, they talk about Cecil's role being a high-stress role is you have to do the operational piece, but you also have to be, as I mentioned earlier, ahead of the curve in doing your homework. Unfortunately, almost every night to figure out what do I need to start thinking about? And as you said, start worrying about it. So I see IoT. I definitely see, you know, you think about robotics and the automation that's coming. What are AI and machine learning going to do for both sides of the fence? It is a little whelming, especially when someone started in a mainframe environment. This is pretty wild stuff, but it's also if you look at it positively, it's fun too.

Brian Selfridge: [00:23:56] I remember doing mainframe security reviews and my early career, and they were at that. They were even sort of legacy then, but they were still around and you had pretty straightforward is only a handful of commands you need to worry about, you know? But they were really vulnerable because no one was attacking them. I like your point. Just a couple of reactions to some points there. I think the idea of doing your homework, that's sort of the Bill Gates and Warren Buffett model, right? Like, they just read constantly set aside half their data, just researching and reading, which sounds counterintuitive, but I think it hits on exactly what you're talking about there. And then my business partners and I, have this conversation pretty frequently about making the time to sit and think like we actually have strategies around where we'll get out of the office, go somewhere with just like a mind map app that you just jot down your ideas. But have you done anything like that just to get get some brain time?

Steve Dunkle: [00:24:48] Absolutely. And that's a very good point. That's critical because as we all know, all of our jobs anymore become for lack of a better way of saying it frantic. And you need that time to just relax and, you know, have a cold beer or whatever set out on your back porch or whatever, whatever gives you some freedom away from the grind to sit and think about these things. That's that, to me, is crucial, and it's crucial both from a strategy standpoint, but also from general learning. You know, as you said, what's over the next horizon speculating on that? So, yeah, I do a lot of that. And I, to be honest, that's not stressful to me. That's, you know, some people say, Wow, your work never ends well. That, to me, is not really working. That's just part. Part of being what I am as a security professional, and I'm OK with that,

Brian Selfridge: [00:25:56] I think it's the fun stuff myself. I mean, it's a forced break to not be reacting in that frenetic sort of pace that you were mentioning and the chance to sit. And it can be for a half-hour. The hour doesn't have to be large, you know, retreats, you know? Well, those are nice, too, if you can pull them off. But yeah, I think that's wonderful. So I want to talk a little bit more about just a couple of other quick topics on some of the guidance that's come out. The other big area of focus these days is incident response and cyber resilience. And that whole, how do we bounce back and recover from these attacks? So we've seen materials put out along those lines. Do you think health care organizations are plugging into those resources and using them or mostly still doing their own thing in terms of business continuity, disaster recovery, and emergency response? So any thoughts you have in the guidance is put out or what health care organizations are doing today, either using that or not using it?

Steve Dunkle: [00:26:52] I hope they are. It's an area of security, people talk a lot, but. I find, you know, there's an awful lot of individuals in the business. There are certain piers I know better and have developed more professional networking with. And those are the ones I cherish most because they will. Off the record, talk with you. And what I found is what they share off the record is what I've been wanting to say the same thing and have kind of held it close to the vest. Yeah, it is critical to share and I think. I worry a little bit and don't take this wrong. Again, I'm not finding fault with any organization, but I worry more about the smaller health care organizations simply because I know the massive workload with cybersecurity and risk management today. And I also know how tight their budgets are and how resource-limited they are. And you know, I give them a heck of a lot of credit because my organization's larger and it's still. You know, it's just a constant having to be on your toes, I guess. So smaller organizations look at kind of like you said, the big picture and how the puzzle fits together. I'm not sure credit to them, but I'm not sure they have all the time and resources. They need to do that.

Brian Selfridge: [00:28:33] Now, I'll share the moment to applaud those folks with you as well, the ones that are fighting the good fight and don't have the budget and resources, and I've been in spots like that, and these are the true, true heroes out there making it worse because it's thankless, right? Nobody likes the security person. They were just perceived as putting up hurdles. And although that's changing, I guess. Do you think actually, do you think that's changing the perception of cybersecurity as this roadblock versus now? Oh, geez, there's all these breaches in the news. Are we starting to get some street cred with or internally?

Steve Dunkle: [00:29:04] I think we are especially in the boardroom and senior leadership because they realize, you know, that we play a role in the enterprise risk management side of things and we're able to come to the table, you know, credit to our profession speaking more business speak versus throwing a bunch of technology and acronyms out there. It never works. But I think too, and I give a lot of credit. I've worked a fair amount in retail in my career. And between my education and my retail experience, the concept of customer-oriented, customer-focused has really been pressed into me and that's how we tried very hard with security at Geisinger. We are a customer service organization. We're there to serve as part of our partnership and secure the organization. That said, there's still conflict. There always will be in this profession, I suspect, because as you said, sometimes in our opinion, the right thing to do is not the most budget supportive, nor resource more demand, harder to accomplish. But again, focusing, you know, when you pick up the phone, you're talking, you're talking usually to a customer. So that's the way we view it.

Brian Selfridge: [00:30:35] I love that customer service mindset. My first job as a kid was working in a bar and I worked my way up to being a bartender, but my first job, was actually the big global consulting firm and I put on the resume. You know, bartender and the guy says, Why in the world did you include this on your resume? I said, Well, a customer service, I said I had to build a relationship within, you know, seconds if I wasn't getting tipped, you know? So customer service is everything. I think you're right. Once it's in your blood, it's hard to shake it. And it's and it's tremendously valuable in our field, for sure. So when you talk about OCR enforcement a little bit with you, we're going to go back to the regulators here. They've been on a pretty steady path over the last couple of years, big focus on risk analysis requirements, encryption to a large extent. Although I think that's fading a bit and then looking at the patient's right to access stuff on the privacy side seems to be pretty, pretty consistent. Drumbeat there. What do you think of the current OCR enforcement model? Is it effective as a deterrent or those types of things that it's meant to do or other things you'd like to see OCR focused or not focused on just if you had your druthers?

Steve Dunkle: [00:31:47] It's an interesting question, and I in no way shape, or form want to find fault. I have a lot of respect for any security professional or auditing professional. I have ultra-high respect for them. But. Sometimes in working with that organization, I feel, and I get it, they're very large. But. Sometimes I don't think their feet are quite on the Earth when they come in and understand, you know, especially a health care system, an integrated system. The NIST concepts as far as boundaries and things like that, that's all good stuff. But. In a very large integrated health care system. Those kinds of boundaries get much tougher to define. And. Sometimes the tendency is to cling to NIST, which I think is good, but we all know NIST is like anything else. It takes time to keep up. You have to work through the cycles. And I've heard some of the auditors and some of the folks we've worked with still referring to standards that are, you know, kind of come and gone for lack of a better way to say it. You know, let's look at password, you know, having people change their password just for, you know, say, 60 days. Well, are you really gaining that much by doing that, especially if people have unfortunately 25 up to one hundred or more passwords? And you expect them to change them every 60 days. How are they going to manage that? They're going to do the best they can under the circumstances to do their job could write it down on a piece of paper, add it to a spreadsheet. So some of these things, that is an example and you know, we could talk about it for hours, but there's got to be a real side of it and a look as a security professional to say, Well, it sounds good on paper, but. Can you really implement it and make it stick? And that's where I struggle a little bit with it.

Brian Selfridge: [00:34:18] We certainly have our share of complexity in health care and trying to secure and simplify a set of rules around that complex and ecosystem, it's just bonkers. You know, I guess that's why we stay gainfully employed trying to figure it out.

Steve Dunkle: [00:34:31] Yeah. And the other thing is, the beauty I like about healthcare is occasionally when I need to get grounded, I walk around the health system. And, you know, the children's hospital and obviously the hospital in general, the clinical health plan. All of those put a perspective on things because you talk with employees that are just trying to do the right thing. The majority of them just want to do their job and their job as they see it is to care for the patient, not to keep the sea so happy. And my job is to take care of the patients and make sure they can. So when I weigh that way of thinking compared to written standards that are dated, I know what side of the fence I'm going to fall on every time.

Brian Selfridge: [00:35:27] Well, I would love to continue to pick your brain on all of this stuff, but I know you've got some work to do. Maybe you'll go walk the halls, maybe you'll go have a think after this, or just get back to emails. But ah, Steve, are there any other, you know, closing thoughts, anything maybe we've touched on today? You'd like to leave any sort of parting thoughts that we may not have covered so far.

Steve Dunkle: [00:35:48] Just, you know, the importance of networking and respecting each other in our field and learning from each other in our field. There's. There's definitely, in my opinion, the opportunity for camaraderie there, the more people you know in the field, it's not about, you know, how it appears on paper and all that, it's about learning and appreciating those you're working with and learning from each other. So, you know, again, as an old-timer, I just want to say I've really appreciated that through the years.

Brian Selfridge: [00:36:24] I will raise my glass to that sentiment. It's a wonderful thing about this field is that you're always learning, I'm always learning every single day. Every conversation is just tremendous and applying that knowledge is worth its weight in gold and we've learned a lot today. So I want to thank my guest. Steve Dunkle is this CISO of Geisinger Health System for a wonderful conversation, sharing your perspective on all of these emerging trends, and it's never mission accomplished. We've got a lot more to do, and you've given us a lot to think about. So thank you, Steve, so much for taking the time to be with us today.

Steve Dunkle: [00:36:56] Thank you, Brian. I enjoyed it. Good discussion.

Brian Selfridge: [00:37:11] I think we can expect to see quite a bit more activity from the federal government and standards bodies on this front in general, and we can be sure to have Steve help us keep tabs on it as it all continues to unfold. So we'll check back in with him from time to time. And very much appreciate his insights today. As always, we'd like to have your feedback and hear from you, our listeners. Feel free to drop us a note about what topic you'd like to hear about or a thought leader you'd like to hear from. Our email address is [email protected]. Thanks again for joining us for this episode of the CyberPHIx. We look forward to having you join us for another session coming up soon.