Cyber Trust Falls: How Cybersecurity Enables Trust in Healthcare

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

Who can be trusted to protect sensitive healthcare information and systems amidst a daily barrage of breach events?

Healthcare cybersecurity and risk leaders must identify innovative ways to establish and maintain trust in the healthcare ecosystem through cybersecurity programs and functions. This includes being transparent about risk exposures, building relationships internally and externally, responding effectively to breaches, and adopting certification models like HITRUST and SOC 2.

In this episode of The CyberPHIx, we hear from Ed Dame, Chief Information Security Officer for Dasher Services, Inc.

Ed provides insights and wisdom from his years of experience as a CISO in building relationships and establishing trust. Questions covered in this session include:
-

  • Why is trust important in healthcare settings?
  • How can cybersecurity programs support and sustain trust?
  • What role does transparency play in building or eroding trust?
  • What are the boundaries of accountability for trust for healthcare CISOs including third- and fourth-party vendors?
  • What role do cybersecurity certifications like HITRUST play in establishing trust with the market?
  • What happens when trust is lost or damaged?
  • Is there a right and wrong way to respond to breaches that impacts trust?
  • What is the different between reacting and responding to cybersecurity incidents?
  • What is the role of emerging “zero trust” models and terminology in healthcare?

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:20] Hello and welcome to The CyberPHIx, your audio resource for information security, privacy risk and compliance specifically for the healthcare industry. I'm your host, Brian Selfridge. In each episode, we bring you pertinent information from thought leaders in healthcare, cybersecurity and risk. In this episode, we'll be speaking to Ed Dame and is the Chief Information Security Officer for Dasher Services, Inc. Dasher's mission is to help people live happy, healthy lives, and they certainly want to get behind that mission for sure. I'll be speaking with Ed about establishing and maintaining trust in the healthcare ecosystem through our cybersecurity programs and functions. So let's dive into another great conversation with yet another amazing guest, Ed Dame.

Brian Selfridge: [00:01:09] I'd like to welcome my guest Ed Dame who is the Chief Information Security Officer for Dasher Services Inc. Dasher's mission is to help people live happy, healthy lives. Doctor specializes in moving confidential information that requires HIPAA compliance and other security measures, as well as rigorous quality assurance processes, and it will tell us more about Dasher when we get into it. Prior to Dasher, Ed has held leadership roles with several technology firms, including CSSI Global Technologies and CACI. I'm excited to speak with Ed today about this concept of establishing and maintaining trust in the healthcare ecosystem through our cybersecurity programs and functions. We have a lot of ground to cover today and lots to learn from Ed on this topic. So with that, Ed, thank you so much for taking the time to join us on The CyberPHIx today.

Ed Dame: [00:02:02] Thanks, Brian. Really glad to be here today.

Brian Selfridge: [00:02:05] Excellent. Well, we're really excited to talk through this, and there's just so much to to unpack with this topic of trust. But before we get deeper into into cybersecurity and trust in the overlaps and all that stuff first, and could you tell us a little bit about your organization? So we have some context for your perspective on the topic?

Ed Dame: [00:02:22] Sure. Yeah. As you mentioned, the mission of Dasher is to lead help people lead happy, healthy lives, and Dasher is a very unique company. So Dasher started out as a mail services business and a courier business, actually. So not anything to do with the healthcare space. And about 10 years ago, Sharon Ryan purchased the company and has really transformed it into what it is today. And everything that that Dasher does helps people lead happy, healthy lives. And so it's a very mission focused company. It's a woman owned business, obviously, as I mentioned and small, diverse business. So, you know, we have some interesting challenges regarding security and technology being a small, diverse business. But everything we do is goes back to that happy, healthy lives.

Brian Selfridge: [00:03:21] Excellent. So we're going to talk about this topic of trust, so how does that play out for you and your customer base? Maybe we can sort of start with with Dasher as a microcosm of the larger, you know, challenge that we have, I guess you could say, and in establishing trust. So how does that what does it mean for your organization if you do or don't have trust with your customer base?

Ed Dame: [00:03:40] Sure. Yeah, I think trust is critical at all levels of an organization. So not only with our with our customers, but also with our staff, and we really try to focus on that. So, you know, when we're communicating complex information, you know, sensitive information like we do every day. Trust is paramount. And you know, I really when I think about trust, it goes in concentric circles, you know, so it starts at the lowest level. You know, if you have if you don't have trust in yourself, you know, you're not going to move very far. So it starts with yourself and then it works out from there, you know, do you trust your team? Do you trust the organization? Do you trust your partners? And eventually that ripples out into customers. And so it's the it's that pebble in the pond. You know, you have to start in the middle and then trust works its way out from there.

Brian Selfridge: [00:04:36] So if we, you know, we have this desire to establish and maintain trust for all of those parties and all those those reasons. What are some ways that cybersecurity and you can broaden this for your organization or maybe sort of go beyond if you like? But what are some ways that the cybersecurity function supports trust in sort of a meaningful sense?

Ed Dame: [00:04:57] I think it gives people confidence. You know, when you're when you're dealing with your customers, you need to have confidence that you're going to deliver and deliver securely. And so when we're handling their information, they're putting their trust in us. And that is something that we take very seriously is that, you know, we want to be good stewards of their data, you know, because the way Dasher operates is, you know, we deal with clients who entrust their data to us to communicate with their clients or their members. And so it's that chain of trust, which I'm sure you know you live in this world. So you know, that's everything these days is the chain of trust. And so, you know, as we do that it's really critical for us to take it seriously. And so our cybersecurity program and the initiatives that we undertake, they are the foundation of that. You know, it's the it's the constant education, it's the training, it's the policies and procedures. It all lays the groundwork to have a solid foundation on which we can operate.

Brian Selfridge: [00:06:10] So how do you communicate that trust, so a lot of times, cybersecurity people, historically, you know, I know we've you and I've grown up sort of in similar the evolution of cybersecurity where it was like this, this thing happening in the basement and an it focused kind of conversation and and it's evolved into something that's requiring, you know, more and more interfaces with leadership and the business and customers and more of a direct communication vehicle between a security officer, for example, and those stakeholders. So how how do you see some effective ways of communicating in a reliable way that, hey, you should trust us and these are the things we're doing? And so how do you go about doing that?

Ed Dame: [00:06:54] I think speaking straight is what I what I go to and what I mean by that is that. You know, we don't use scare tactics, we don't use jargon as much as we can. We we share the why behind what we're doing and what I found in my experience is that a lot of people, when they hear the term cybersecurity immediately go to a place of fear and we're, you know, through the media and through the web, you know, there is a lot of fear. And frankly, cybersecurity can be a scary place at times, but it doesn't have to be. And that's why when I'm communicating about cybersecurity, I like to speak in plain language. I like to tie it to business outcomes. And I like to share the why behind it. And you know, I think we'll touch on this a little later as well is I like to I like to talk about transparency and be and be transparent in my communication because really, that's that's the only way you're going to get better is to be transparent, to face your challenges head on and to keep getting better a little bit each day.

Brian Selfridge: [00:08:15] That's a great point around transparency, and I do want to dig into that a little bit because I've seen, you know, it's always easy to put people into buckets, but I've seen security leaders that for the sake of this discussion, fall into two different buckets. Sometimes some of them will do if they're establishing trust to do a model where I'm the security expert, I'm the technical guru. Whatever they want to frame themselves and brand themselves in the organization, they say, I got this, you know, don't worry about it. Trust me, we're covering everything we need to cover. Don't worry about the details, and I'll let you know if there's a problem. That's sort of one style, I guess putting it that way. But it's certainly not a particularly transparent style. It's more of a trust me because I'm credentialed kind of thing. And then there's the others that I think it sounds like you may be more in this camp. Potentially I'll let you respond to that, but that are more transparent and sort of opening up the details and speaking in plain language, but also saying this is these are the risks we have and we aren't great at everything and we do need to make investments to improve our risk posture or whatever it may be.

Brian Selfridge: [00:09:18] But being a little bit more transparent about the true exposures and risks, even sometimes to to in a way that may make them look like they have as a security leader, have missed something. And so there's sort of that whole, that whole tug and pull. And it's interesting in that sometimes the both security leaders can establish a form of trust with the business. You know, the first ones may may be trusted until something goes wrong. And they're like, Well, you said you had this and what happened? There's a breach. And that's usually doesn't end well. And then sometimes, you know, folks that are transparent can get a little dinged reputationally by saying, Oh, you know, why what you're telling me? We're missing stuff. Why aren't you doing your job, that kind of thing? So that's a really long segue or a really long setup for this. But how where do you fall in that and how do you sort of see the importance of transparency in the trust conversation?

Ed Dame: [00:10:12] Yeah, it's you know, I definitely fall on the on the more transparent side of things. I think that leaders, regardless of what area you are in, whether you are in cybersecurity, finance HR or it doesn't matter, you know, you got to push the ego down. And I found that when? The leaders that you describe on the other side, where they take the posture of, I've got it. Don't worry, they. That's an ego thing. And to be where you need to be, in my opinion, as a as a cybersecurity leader, you need to push down your ego and it's about getting better. It's about improving. As you and I and the listeners well know, this is a cat and mouse game. There's never an end. You always have to keep getting better because the threats are going to keep evolving. And so if you don't have that growth mindset, if you have a fixed mindset that you got it all, that's when you're going to be in trouble.

Brian Selfridge: [00:11:21] Is there a point where transparency you can be too transparent in the sense that again, there's a lot of technical stuff in our field and you can be like, All right, everybody, here's I'm going to read out you the vulnerability report from this quarter and show you we've got seven million vulnerabilities high, medium, low and we're missing Apache patches. Like at some point, do you start losing people because, you know, you're telling them all the detail, but maybe they maybe that's not helpful. Where does what's too far in terms of that type of transparency?

Ed Dame: [00:11:50] Yeah, I think you're spot on. There is you can really get into the details and many technical people fall into this trap is, you know, and I was just thinking about this with, you know, a number of recent vulnerabilities is when you hear it, you know, you see log 4J or something like that and people don't even know what that means. You know, they they know it's a threat, but they have no idea what it means. And it's easy, especially if you're a detailed technical person to jump right into the weeds and say, Oh my gosh, this is a you know, this is here's how this vulnerability works, and here's what we need to worry about. And here's what we're doing to remediated. And but I go back to my previous thought about speaking straight in plain language and then putting yourself in the shoes of who you're communicating to. You need to understand what they need to do, their job and how it's going to impact them. So if there's action that needs to be taken, I think there's a there's an art of summarizing and getting to the appropriate level, depending on the audience that you're talking to. So a lot of times in in the in the CISO role, you know, you may be speaking to your clients and need to speak in one way. You may need to speak with your leadership team and talk in a different way. And then you may speak to your actual security team and speak in an entirely different way. And so leaders need to be malleable in their communication styles and approaches to fit the audience.

Brian Selfridge: [00:13:29] What are some of the vehicles that you use are some ways in which you deploy this type of messaging to the market, in particular customers? Is it? For instance, I've noticed you guys put out blogs and they're very security focused, which I think is wonderful. As a security practitioner, it's always nice to get that that sort of vehicle to communicate with the market. But what are some ways that you, you sort of get out in front because we get busy right like everything else and we get tactical and the stakeholders are busy, the business busy customers are busy. So how do you how do you get that connection? What vehicles to use to actually have that conversation?

Ed Dame: [00:14:01] Yeah, the most important thing that we do is give up our time and so we spend time to build real relationships. So Brian, as you and I were talking, I mean, we were we were getting to know each other. And, you know, that creates a stronger bond because now I know about you and I know about what's going on with you and you know, a little bit about me. And so that's the really the most critical thing that we do is we're intentional about forming real relationships. And then also, we share frequently not only about what's going on security wise with us, but we share about our greater mission. So we talked at the top about Dasher helping people lead happy, healthy lives. We talk about that all the time. We send out books at the at the end of the year to all of our clients and partners sharing about how Dasher has lived out this mission and how they've helped be a part of it. Because really, it's all a part of fulfilling that mission. So, you know, that's a big thing. Now how we do it, whether it's through a blog, through a video, through a letter, you know, there's any number of ways that you can go at it. You have to choose what's best. I've always found that person to person communication works best because it's it's about that relationship.

Brian Selfridge: [00:15:29] And, of course, virtual counts, right? Like person to person I haven't seen I haven't seen another human being in, you know, two years or so.

Ed Dame: [00:15:35] Yeah, well, it definitely it definitely counts. And, you know, we've gotten a lot better at that, frankly, and I think it's opened a lot of new avenues. You know, we probably wouldn't be sitting here talking today if we weren't able to do this virtually. So, you know, it's a blessing and it's an opportunity to connect with people. Regardless of whether it's over Zoom or teams or face to face.

Brian Selfridge: [00:16:01] Yeah, it's funny you say that. I mean, my old early days of consulting and being a security officer like when I wanted to meet with a peer and a colleague, yeah, I would say, let's meet. I get in a car, I get on a plane. Some cases like to go have coffee and talk to somebody. And it's this whole logistical sort of thing, which is it was always worth it. Like that investment you'd make all that time, energy and money in some cases to just have that conversation. And because I think as you're saying, it's the relationship sort of trumps everything else with respect to establishing trust. I do want to talk a little bit more about this, this trust idea and how far it extends because you know, your customers, let's say, for example, will trust you and you, by extension, are the security team you need. They trust Dasher. You're protecting Dasher and Dash information. You're part of that. But then you've got third and fourth part third parties and their and their third parties. And then there's a whole chain, whole supply chain. How where do you see the where does this stop? Where is the accountability for trust? Stop as a security leader, do you at some point have to take a leap of faith with your third and fourth parties? Do you wear? Or does do you follow it until its bitter end? And if anything goes wrong, it's, you know, it's our fault. Where do we draw the line?

Ed Dame: [00:17:16] I think you need to try to follow it as far as you can without making yourself crazy. And I don't know if you have you heard of Jocko Willink. So, yes, Jocko was great, I mean, Navy SEAL Ex Navy SEAL Jocko has the concept of extreme ownership, which we love. We love that concept because it's about everyone taking ownership. And so when we look at when we look at our partners, when we look at the chain of trust, we partner with people who take extreme ownership because that is a critical mindset and philosophy to ensuring that you're going to do a good job. If you're going to look at yourself first, about security, about whatever you're doing, then you're going to be in the mindset where you're going to take responsibility for things that are happening. And so that's really one of the critical things that we look for. But you have to also balance this with being able to operate. And so, you know, as I mentioned, we're a we're a small, diverse business and so we don't have unlimited resources. You know, there are there are large entities out there that have teams of people sitting around focused on these things. Well, we're kind of scrappy and we have to we have to get the job done. So it's a balance of mitigating the risk, minimizing the risk and getting the job done and not overburdening the team so that they can't do what they need to do.

Brian Selfridge: [00:18:52] So with I really struggle with this, too, especially with third parties, I give this log4j thing you mentioned earlier, which again, is for we won't make the same mistake. log4j, for everybody that isn't familiar with it as a vulnerability and an open source Apache platform that's used all over the place and has a vulnerability to being exploited in the wild. And it's bad news. Like, how did you guys handle that with your third parties? Do you do you audit them? Do you just do you ask questions? Do you assume they've got it? Do you? And like, how do you just get at least that base level of trust, like you said, within time and reason and cost? What are some of like the fundamental things you can do in a situation like that?

Ed Dame: [00:19:32] Well, first and foremost, we never make assumptions, you know, that's rule number one, no assumptions. But what we what we did in in that case was we started communicating right away, you know, so when we learned about it, we communicated up the chain to our clients and we communicated down the chain to our vendors and partners. And so we started an open dialogue and that was really important. So, you know, there were some, some people that were on it. They knew exactly what was going on. They had already planned. They had already thought about it. And so that was great. But there were others where we needed to do some education and share with them even what this vulnerability is. So again, we tried to take ownership of that and do everything that we could to help others help ourselves, help others help our clients, you know, and really, it comes down to a couple of questions, you know, when we evaluate anything we do. Is it good for the client and is it good for our people? And in this case, communicating proactively and going right into remediation and gauging where we are? Was definitely good for our clients, and it was also good for our people too, because it it allows us to maintain those contracts. It allows us to maintain the trust that we talked about earlier and really get ourselves out ahead of it where we're not waiting for anybody to talk to us about it. We're putting our foot on the gas and we're saying we're going to handle this head on. And so that's the philosophy that we took in that particular situation.

Brian Selfridge: [00:21:13] I appreciate that you talk about that open dialogue model, I think a lot of times trust can be broken down between customers and third party vendors where there's this kind of again, even within this, we'll stick it to the security function where security officer of, you know, Company X goes to the third parties and said, You tell me what you're doing, fix this log4J. Meanwhile, they haven't fixed it themselves, right? They're scrambling like everybody else. But there's sort of this this this sort of condescending approach and that erodes trust saying, Look, we're in the same battle you are but an open dialogue. Like you said, having that conversation, let's work through it together. How can I support you? How can you help me? Really goes a long way, and I would argue there's not. There's not enough trust building between organizations and their third and fourth parties. There's more just, you know, over assessing and, you know, combative conversations and things. So that's anyway. That's that's my reaction to that. But I want to move a little bit into a little bit more into the technical realm for a second because we talk about trust at the business level and communication and certainly as leaders, that's critical. How about from a technical perspective, what are some ways that cybersecurity just our basic controls and things that we do day in and day out help support trust? If it's it could be things like certifications like HITRUST SoC 2s, those type things or more technical things like SSL or anything like that. Where do you see the control environment really supporting trust from a technical perspective?

Ed Dame: [00:22:46] I think it gives a baseline for the organization to operate. Like I said, it's that foundation. My philosophy for a long time, you know, as you mentioned, I've kind of been in the IoT world and run some technology companies and things like that. Is that now every company is an IT company? Is what I had said for a long time, and now every company is a security company as well. And it it permeates every aspect of operations. And so, you know, going through a process like HITRUST get you to a baseline and a level of competency where you're on the same playing field, you know, and that's and that's the difference between like a SoC 2 type II and high trust is that SoC 2 is so much more malleable to, you know, your organization. It's not as high of a barrier, it's not a standard. And so, you know, that's where we started, though, frankly, you know, on our on our journey as Dasher, we started with SoC 2 type II because it was a little easier. We were starting from zero. And so, you know, we had just thought about it and that was a great first step for us.

Ed Dame: [00:23:58] But then it's about the constant improvement. And so HITRUST was an obvious next step for us, and it frankly was a big step for us. We we took that on and we weren't sure how to get there. And that's where partnering with Meditology and working on that together, which, you know, frankly, we couldn't have done it without Meditology. And, you know, but that has gotten us to a place where, you know, we are able to operate. And it brought some new technologies and controls into our sphere that allowed us to be more secure and allowed us to build that trust externally and internally because our users see that are our employees, see that every day is when they're using things like MFA, you know, to connect. And as we had to pivot and go remote during the pandemic, you know, we had the baseline to make that switch securely and get that done. And if we had not been working on this journey, I can't imagine the hill we would have had to climb to get there, you know, during pandemic time.

Brian Selfridge: [00:25:14] Now, an ounce of prevention worth a pound of cure, I guess in that sense. So absolutely and we likewise appreciate, you know, the partnership with all of our clients and Dasher, you know, especially when you have two organizations that come at it from that perspective and aren't just trying to check a box, it really it really sings the whole process really, really works much better. I want to talk a little bit about the downsides of trust that can sometimes play out. So you know what happens when trust is lost or damaged? Maybe you could share any examples you've seen where you've seen that trust breakdown in a cybersecurity setting. And what are some of the impacts that that that you know, that stone in the pond has in a negative sense when it when it goes the wrong way?

Ed Dame: [00:26:02] I think the loss of trust when it when it rears its head has serious consequences, I mean, it can go to the loss of contracts, it can go to legal challenges, of course, you know, and one of the areas of dashers business that we work on as well is in breach response services. So we do secure mailings for breach response services. And so we see this every day. We talk with the clients and with the lawyers and with the insurers who are dealing with this loss of trust. And it's very interesting to see how different organizations go at it because again, like we talked about in cybersecurity philosophy, there are many different approaches that organizations take. Some just take a compliance approach, some take a very proactive hands on approach. And, you know, we've found that issues are going to happen. We get enough of these breach responses that we know issues are going to happen. It's how you how you deal with them and how you respond to them. That makes all the difference. And if you can have a compassionate and personal approach to dealing with it and be honest about how you're going to improve and how you're going to get better, you can mitigate some of those some of those downsides, like loss of contract, like legal challenges and things like that. But it also starts with that relationship if you don't have that relationship to start with. You know, again, just like we talked about pivoting during the pandemic, you know, if you don't have that cybersecurity program already, if you don't have the relationship already, you're starting from zero and that's a steep hill to climb. And so you have to be proactive in your stance with relationships, with your cybersecurity program to be in position that when something goes wrong because it's going to, you're ready to go.

Brian Selfridge: [00:28:08] I'm really glad you brought up this idea of responding to the breach and how that impacts trust. Like to give an example, there was that Kaseya breach and if you remember that that third party supply chain breach that happened a little while ago and the CEO had come out initially and said, like it was just it was all the wrong ways to establish trust. It was at first it was like, there's no breach. Then it was like, it's not my fault. Then it was there was an intern and it was the intern did something wrong and had the access and I was like, Come on, like, you can't you can't possibly try to pin it on an intern I don't like. And so there was this sort of this blame game, finger pointing thing that happened. And I think it really, really hurts the brand. And I'm not just picking on that organization. There's been many that have suffered breaches and just done that, just the wrong PR approach and others that have come right out and said, we have we're having a breach. Sometimes we don't even know exactly what's going on, but we want to let you know something's happening and we're working on it. We'll keep you posted open dialogue kind of thing. And I'm amazed at how you know, folks understand, right? They understand right away. Oh, thanks for letting us know we're concerned, but we appreciate, you know, there's sort of a greater trust that happens in the brands really get impacted one way or the other. So I think that's seeing that play out for sure.

Ed Dame: [00:29:22] Well, I think what you're talking about there is response versus reaction. You know, when somebody is in react mode and they are flailing about, you can tell very quickly. But if you are in a measured response mode again that that goes back to trust when somebody is not, you know, going off the cuff and, you know, just saying whatever is on their mind, pointing fingers, you can tell and you trust that person more because you think you know, whether they have it or not, you feel like they have it.

Brian Selfridge: [00:30:00] So is there a point where there's just so many breaches and we can respond well or not respond well, but ultimately is there is there at some point where the public I'll use that term pretty broadly just loses confidence in the cybersecurity industry or the IT industry or name any particular industry that has it. And security, as you said, it's all of them. They're all in that business at some point is there is there's this kind of breach fatigue, like can we can we get to a point where it's irrecoverable and we can't claw back the trust that people just say, Oh, you know, you guys just can't handle this? And or do you think, do you see a brighter future than that? That may be a bleak, bleak picture.

Ed Dame: [00:30:41] Well, I think their breach fatigue is a real thing, and, you know, as I mentioned in our breach response services, we see that firsthand and we look at, you know, through our communication, through our call centers, you know, we take incoming calls from people who have been the victim of a breach and depending on the incident. A lot of times people are not calling anymore, you know, so the call rates go down and that tells me that people are fatigued and they are comfortable and they're just taking that letter and they are putting it in in the trash, you know? And so while. While that is important to know, I think that how we communicate about these things remains critical. It really does because data is so important. It's the base that everything runs on and it does feel out of control. Sometimes when your personal data is out there, I mean, who hasn't gone and done the dark web scan on their email and you just kind of shake your head and you give up. But as security leaders, we can't do that. We have to keep moving forward. And so, you know, I see it as an opportunity for us to keep getting better and meet people where they are. You know what? What are the critical things that people would like to be communicated to about, you know, not just the compliance, because the compliance is one thing we all have to follow the law, you know, of of reporting and all of the HIPAA laws and everything. So that's one thing. But what are the real questions that people have? What do they really want to know and what's important for them to know and what's noise? It's determining signal versus noise, right? So there's a lot of noise out there. So how do we get to the signal when we're communicating?

Brian Selfridge: [00:32:43] I want to ask you a little bit about this buzz term that's been out around zero trust. And obviously, I don't think they literally the folks that are using this in the models don't really mean zero trust, but I've struggled to figure out how it applies to healthcare, healthcare, particularly maybe on the provider side more than anything. But we've got so many applications, so many interconnected cities. We have a need, a true business need to release the flow of information to help keep people safe, right, in a lot of ways. And at the same time, you have this sort of push toward a zero trust model. You know, I wonder if almost the term should be trust management instead of zero trust. Like, just figure it out. But what's your take on that, that whole, that whole ecosystem, that term is that is this something we can aspire toward? Is, is it meaningful or how do you how do you think it applies, maybe to healthcare in a in a useful way?

Ed Dame: [00:33:39] I think zero trust in concept is a noble concept, and just like we talked about with extreme ownership, it sits in the same spot in my mind. But I also think it's a unicorn. You know, when I think of that as well, you know, I thought of another zero concept, which you may have heard of, which is inbox zero. You know, and that's the that's the concept of having no emails in your inbox, right? You've processed everything and you have no inbox emails. Is that a reality? No. Does anybody have inbox zero? Maybe. But you know, very few people that I know of have inbox zero. So, you know, balance is what we need. Again, you know, if you take ownership, if you extend trust in a smart way and I like your term trust management more than zero trust because it's more reasonable. You know, getting to zero trust is, I think, an easy way for people to understand it as a concept and as a philosophy. Just like Inbox Zero, it's easy to visualize your inbox with no emails in it. But, you know, healthcare has particular challenges with this because of the interconnectedness of everything, it's such it's such a complex chain of trust that makes the system work.

Ed Dame: [00:35:09] It presents a lot of challenges. And you know, as I was thinking about this question, it came to mind about innovation and how much innovation is required in healthcare currently. And a philosophy like zero trust can be used to stifle innovation. So how do we how do we balance that? How do we balance the need for trust and the need for risk mitigation and the need for innovation? And that's where we have to find a balance and find a middle ground and just, you know, continue looking at that. And you know, for Dasher in particular, what you know, what comes to mind for me is, you know, how to small, diverse businesses like Dasher remain part of that ecosystem. And as things become increasingly complex and become increasingly challenging in the world of security, how does how does Dasher keep up? How do we continue to be a good partner? And the answer that I keep coming back to and I've repeated it a number of times in our conversation here, is that we just have to get better every day. We just have to keep getting better. And you know, if you get one percent better every day over time, you're going to be in a really good spot.

Brian Selfridge: [00:36:32] Yeah, it's almost as if zero trust is a direction rather than a destination with a lot of it's becomes an ideal. I love that you mentioned balance and the idea of sort of a reasonable approach to all this. It reminds me a lot of I'm not sure if you run into this, but there's sort of the federal cybersecurity view of the world. And a lot of times the models that come out of the federal systems and even professionals that come from federal into private practice sometimes have this perception of like, well, doing security right is sort of the Department of Defense. We lock everything down and it's all Fort Knox, right? But you know, anybody that's ever run a healthcare organization or in particular or any organization in private practice, I think understands that you can't lock it all down because you need innovation, because you need communication, you need this stuff to move. So I love that idea of finding that balance. I think when you communicate to your stakeholders leadership, everybody talked about in a way that talks about balance and help me understand which direction you want to go. Should we tighten up? Should we not all advise you, but I'm not going to come in, you know, the ones that come and pound the desk and say, you know, we're shutting it all down today, you know, it just doesn't go over. Well, just in terms of I know we're really appreciate your time and you have some real, real work to do today. I just want to get your thoughts. If there's anything else that that you'd like to share any other comments or wrap up type of things that that can help us just sort of frame this topic as we all go back into the real world and try to apply all this trust concepts,

Ed Dame: [00:38:02] The concepts that I keep coming back to are foundational and base concepts is it comes down to relationships, it comes down to communication and it comes down to kind of that lifelong learner philosophy of just getting better. And, you know, I'd like to just share because, you know, this is a really important story for us at Dasher is finding great partners to work with. And so, you know, we had a partner who actually is a client of ours, and they helped us move along in our security journey. And usually it's not that way. Usually you go to a client and they say, Show me what you got and we'll choose you or we won't choose you. Well, we are really lucky to work with clients who take an interest in Dash, or not only from a security standpoint, but from a mission standpoint and helping our people lead happy, healthy lives. And in turn, we help their clients lead happy, healthy lives. And so, you know, if you can find that alignment with partners and with vendors that you use and with employees and everybody's rowing in the same direction, that's when you can really make a difference. And it doesn't seem as daunting. You know, the challenges of cybersecurity, the challenges of business, they just don't seem so daunting when you're working with great people who are aligned and moving in the same direction.

Brian Selfridge: [00:39:37] I think that's a fantastic point, it's a bit of karma and pay it forward there too, right, when you work with your partners, even if in the in the tactical moment, maybe it's an investment you're making in that that partnership or that relationship. I've always found that that stuff always comes back to to benefit, you know, in the longer term, so fantastic closing thought there, I think something we can all rally around. So I want to thank my guest today, Ed Dame. Thank you so much for joining us. He's the chief information security officer for Dasher Services Incorporated, and we may need to reprise this conversation sometime. There was a lot of great stuff to cover here, but Ed, thank you so much for joining us on the CyberPHIx today.

Ed Dame: [00:40:13] Thanks, Brian. It was a pleasure.

Brian Selfridge: [00:40:22] Again, I would like to thank my guest, Ed Dame, who was the chief information security officer for Dashers Services Inc. I really appreciated Ed's perspectives about the importance of collaboration and transparency to establish and maintain trust. I also loved his line about responding rather than reacting to events. It's a subtle word shift at a huge impact on how to go about thinking about effective cybersecurity programs and models that build and sustain trust.

Brian Selfridge: [00:40:47] As always, I'd like to have your feedback and hear from you, our listeners. Feel free to drop me a note about what topic you'd like to hear about or thought leader you'd like to hear from. Our email address is [email protected]. Thanks again for joining us for this episode of The CyberPHIx. We look forward to having you join us for another session coming up soon. See you then!