The Game Changer: Envisioning & Delivering Innovations in Healthcare Cyber Risk

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

Healthcare cybersecurity has seen major game-changing risk management models and companies emerge in the last several decades. These include the introduction of the HITRUST Common Security Framework (CSF) and certification model and the emergence of companies like Meditology Services and CORL Technologies that are dedicated to solving big, complex challenges facing the healthcare industry. 

At the center of these innovative models and new paradigms is one leader in particular: Cliff Baker. Cliff has a long list of accomplishments envisioning and delivering game-changing solutions for healthcare cybersecurity. He began his notable career with PricewaterhouseCoopers (PwC), where he led the organization’s national healthcare security practice. Cliff later went on to architect the HITRUST CSF and certification model and founded two industry-leading cybersecurity companies, Meditology Services and CORL Technologies. 

Join us for this episode of the CyberPHIx podcast where we hear from Cliff Baker, CEO for Meditology Services and CORL Technologies. 

Topics covered in this session include:


  • Leading practices and new models for measuring and reporting cyber risks 
  • How to measure the effectiveness of healthcare cybersecurity programs 
  • Insights into the inception of the HITRUST certification model and the HITRUST CSF 
  • The current state of HITRUST adoption and use cases for the industry 
  • Perspectives on the role that HITRUST will play in the next decade for healthcare cybersecurity and third-party vendor risk management (TPRM) 
  • The process for envisioning, designing, and implementing game-changing cybersecurity models and companies 
  • Solutions and innovations that Cliff is cooking up in the lab to solve the next wave of large, complex challenges facing healthcare cybersecurity 
  • How leaders can move from idea to reality for delivering game-changing solutions and companies 


Brian Selfridge: [00:00:20] Hello. Welcome to The CyberPHIx your audio resource for cybersecurity, privacy risk, and compliance, specifically for the healthcare industry. I'm your host, Bryan Selfridge. In each episode, we bring you pertinent information from thought leaders in healthcare, cybersecurity, and risk management. In this episode, we'll be speaking to Cliff Baker. Cliff is the CEO for Meditology Services and CORL Technologies. I'll give you a more proper bio and background on Cliff in just a moment when we get started with the interview. But Cliff is the ultimate game changer in healthcare, cybersecurity, and risk management. I'll be speaking with Cliff about how he's been able to envision and implement some of the most significant overhauls and innovations in our industry over the past several decades. We'll also look forward to the next set of big innovations that Cliff has cooking for the industry. Can't wait to get into that. So let's dive into another great conversation with yet another amazing guest, Cliff Baker. 

Brian Selfridge: [00:01:24] Hello. Welcome to The CyberPHIx, the leading podcast for cybersecurity risk and compliance, specifically for the healthcare industry. I'd like to welcome my guest, Cliff Baker. Cliff is the CEO of Meditology Services and CORL Technologies. Meditology actually sponsors and hosts this podcast and is a top-ranked provider of services and solutions in the healthcare, cybersecurity, risk, and compliance space. CORL technologies, which we often refer to as Meditology sister company, is a service-centered solution for vendor risk management, compliance, and governance that is also 100% focused on the unique needs of the healthcare space. Prior to Meditology and CORL, Cliff served as the chief strategy officer for HITRUST Trust and was responsible for architecting the HITRUST Common Security Framework or CSF and the certification model. 

Brian Selfridge: [00:02:09] Prior to that cliff led PricewaterhouseCoopers or PwC's national healthcare security practice. In short, Cliff has been responsible for some of the most significant game-changing risk models and companies in the healthcare cybersecurity field for the past few decades. I want to make you feel old for Cliff, but it's true. On a personal note, Cliff and I have known each other for a very long time, and I've had the honor of working with him back at BWC, as well as with his time at HITRUST. And of course, we had the honor of starting up and building this whole Meditology and choral thing together over the past 11 or 12 years. So Cliff is an absolute legend, not just in my mind, but in the rest of the field. And I'm honored to have the chance to rip him away from his CEO-ing to share his insights with you today. I'm going to be talking with Cliff today about how he has gone about envisioning, designing, and implementing some of the most significant innovations in our field over the years. More specifically, we'll talk about Cliff's perspective on emerging models for measuring and reporting cyber risks. We'll also talk about Cliff's journey, envisioning the HITRUST Common Security framework and model, which is now a dominant force in the healthcare industry. And we'll also find out what Cliff is up to in framing out and implementing even more disruptive and game-changing paradigms for our field going forward. So he's not done yet and that's exciting. So with that long and perhaps unnecessarily detailed description, Cliff, thank you so much for taking the time to be a guest on The CyberPHIx today. 

Cliff Baker: [00:03:30] Thanks, Brian. I appreciate it. It's a special moment after all the years we've worked together to actually be a guest on your show. Brian is a legend in his own right in terms of this podcast, and he's been publishing it now for many years it's got quite a following. I've never really been interviewed, so I appreciate the opportunity and appreciate the gracious introduction. It does make me feel old when I think about the history of what got us here, but it's been a heck of a journey. So thanks for having me on. 

Brian Selfridge: [00:04:07] Absolutely. And it's not a victory lap. Don't worry. We got a lot more work to do still. So I want to start off with Cliff. I was actually posed this question recently by the board of a large health system when I went out, went out to present to them and I wanted to sort of flip it around to you because I was sort of thought it was a great question and one that that I answered on the spot, but I think is worthy of getting several perspectives on. And that is they asked me, well, first off, board questions usually get like 30 seconds to answer them. I'll give you more than that since we're on a podcast. But the question was, which I will pose to you: What is the best way to measure the effectiveness of the investments we're making in our cybersecurity program? Simple question, Maybe not so simple, and answer How do we measure the effectiveness of our investments? What do you think? How would you tackle that one? 

Cliff Baker: [00:04:54] Yeah, it's a great question, Brian. As a CEO, really, I live by outcomes, whether it's revenue or margin or churn or retention. There's the specific metrics and outcomes that really define how we're doing as a business and how successful ultimately the business is performing. And so it's kind of in mine. Nature and really something that I think about a lot just in terms of from a security and risk management perspective, what are the right results that board should expect and that management team should expect? There are a lot of these organizations are making significant investments in security and risk management, and it's often unclear to them the results that they should one should expect. And to our actually being delivered in terms of kind of return on that on that investment that they're making. So from me, really the ultimate objective, if a company's objective really, for the most part, is to make a profit in the security space, our objective is to manage risk, ultimately reduce risk, and then manage risk at that optimal level for the organization. And I think I think security executives and risk management executives need to be able to frame that position. They need to be able to explain at the end of the day how the investments that they're making are contributing to managing risk. Often the kind of information that I see at the board level is the number of projects that were delivered, the number of technologies that were implemented, the number of incidents that were investigated, the number of vulnerabilities that were patched. But that means little to business in an individual or business individual who doesn't necessarily have a security background. That means it doesn't mean much in terms of at the end of the day, we've made this investment or we were self or better off than we were before we made an investment, and security professional has to, I believe, do a better job of explaining that position and presenting an outcome that business folks can understand. 

Brian Selfridge: [00:07:29] Yeah. In my experience, the stuff that gets reported up to the boards is just super messy. Maybe the board I'll directions like. So let me know if that's consistent with what you've seen as well. Like, it seems to me a lot of reporting models look something like this, like risk data gets pulled from a million different sources. You get your risk assessments, your vulnerability scans, pen test, and security tool dashboard. So there's a lot of risk data out there. And the security leader or their team cobbles together some kind of PowerPoint or maybe a GRC dashboard or they're a little more mature and try to create some kind of narrative and story based on the information they're getting. They weave in their own perspective, their own sort of personality, and maybe even some biases in the process as we all have them to kind of draw some conclusion. It just seems super messy and really dependent on the leader, the key. So in this case or whomever it may be, one is, is that consistent with what you've seen? Is there a better way to track and report risks just even from an operational perspective that you think would be better than that, that sort of messy model that I outlined there? 

Cliff Baker: [00:08:38] Yeah, I think for me, kind of the. The optimal way to present information. There are some characteristics of the way that information should be presented. One, it should be objective. In other words, I don't need you to kind of paint the story for me. In other words, I can look at the results and understand how you came up with that kind of the way you kind of determine the outcome of the information you presented to me. So it needs to be objective. Certainly, as a business owner, I may not understand all the components. And as I dig deeper, I may not certainly understand the components, but if I wanted to spend the time connecting the dots, I should be able to connect the dots, and then it should be consistent from reporting period to reporting period. Right. Because in our world, trend trending is as important as kind of the point in time. The information probably trending is more important. There's no, I think, organization that feels there at a state where there is no risk and they're going to be reporting no risk. Quarter by quarter. Right. Like, really what's important is the trending. And so as long as it's objective and you can trend it and it's consistent reporting, I think those are the characteristics I feel that boards and leadership team should be should expect from their CISOs. 

Cliff Baker: [00:10:04] I think I think the way you can measure if you're lining up with that expectation as a CISO is again one if you have to clarify, paint a story, provide commentary for the information to be understood, then it's likely doesn't meet that criteria. And if I can't track it from period to period, then it doesn't meet that criteria. I think a lot of individuals conflate objectivity with measurable quantitative metrics. And if I can emphasize anything, it's kind of to separate those concepts. You know, you can still be objective and rely on quantitative point of view. Perspective objective simply means that a non partial individual person that's not involved in the preparation of the information can understand how you arrive to that result. Even if that result is an opinion point of view, quantitative and qualitative is really kind of describe the type of metrics that you're relying on at this juncture. I think where we are in the profession sophistication around reporting, I think the main focus should be objectivity. Just how do we present results that could be clearly understood by any party. And then those individuals again can kind of uncover the details and understand exactly how we arrived at that outcome, even if the outcome is a point of view and the qualitative determination. 

Brian Selfridge: [00:11:42] What do you think about in terms of quantitative stuff? What do you think about this FAIR model? I had a client and they'll remain nameless because it's not a great comment, but they were getting a little bit zealous about FAIR, and it's this way of let's run everything through this, this sort of quantitative measurements for security. And that's the be-all and end-all. I don't want to bias your response, but it didn't feel like that was really the right answer. I haven't seen it use super well, but where do you see the role of fair and those types of risk measurement models in reporting up? Are they useful, not useful, or undervalued? Overvalued? What do you think? 

Cliff Baker: [00:12:18] Yeah, I think in the right context they can be super useful. I think generally are overvalued just in terms of their adoption. So I think I think what FAIR is trying to achieve, which is an objective determination calculation, I'll even call it a calculation for risk. What they're trying to achieve I think is admirable and makes sense and is needed in the industry where there are challenges with the model, it's got to operationally scale. Right at the end of the day, if I have a calculation that's so complex that the inputs are really to scale the inputs, it's not practical. Ultimately, my calculation is going to rely on assumptions or kind of summarize data that really has a wide potential for variability. And so the ultimate results are not something I can depend on. So I think I think. Individuals see a quantitative model and assume that the quantitative model is going to deliver the most accurate results. It could deliver the most objective results, but accuracy. All these models, even when their quantitative depends on the reliability of information coming into the equation. And if the way you obtain that information is not scalable, then then the equation doesn't mean much. And to all of these models depend on some assumptions. And so at the end of the day, those assumptions ultimately rely on some qualitative perspective on the environment and on risk. And so the notion that I have some magic formula that I can plug numbers in and get a magic result is foolhardy, I think, simply because, again, there are some fundamental assumptions that are the basis of that model. 

Cliff Baker: [00:14:30] And too often these models don't scale in terms of the information that's required to input into the equation. And so the ultimate result is not something that's all that reliable. You know, I think I think, Brian, once again, one key aspect of metrics and reporting that is lost is really the objective of the metric is to drive some action, some decision like that's really at the end of the day, the goal here and I think folks lose the sense of that. They believe they perhaps get caught up in the reporting and it becomes maybe a reflection of their performance. And so it's more well, it's something that I need and I need to drive in the best possible, best possible result because it reflects how I perform. But really, the ultimate goal for these should be decision-making and optimal decision-making, right? And so at the end of the day, whatever system you use, whatever calculation you use, whatever formulas you use, as long as that results in the ability to make a decision as effectively and efficiently as possible, that's the end game here. And I think that that gets lost on folks. In other words, if I report a result that is so summarized or so diluted or has so many variables that I really can't understand what action is required to affect the next the next score or the trend in the score, If I don't understand what that next step is, that decision point then really undermines the purpose of these metrics. And so what I would encourage folks building better reporting and building metrics is to kind of think about one is what decisions you're trying to kind of influence or inform and then and then work backwards and then say, all right, like if, if, if for example, a decision around where I'm going to spend money or where I'm going to add resources or resources or which business units, I'm going to focus my efforts around which vendors need attention, whatever it is, if that's the ultimate decision point and work backwards and figure out most efficiently how you get that information to the kind of the various stakeholders as efficiently as possible. 

Cliff Baker: [00:17:05] And that's how you build your measurement program. I think another kind of aspect of this is when you build it that way, you realize particularly early on that the information doesn't have to be that sophisticated. You don't necessarily need these sophisticated calculations because the work you have to do, the decisions you have to do or so kind of kind of covering so much in terms of ground, there's so much lower hanging fruit that you really don't need many kinds of macro data to make the decision. And so that's another mistake I see a lot at the CISO level is folks kind of striving for this detailed data. And there's detailed calculations where the kind of the decision points are probably two or three kinds of decision points, and the information required to determine which of those decisions to make is really not all that sophisticated. And you could achieve the appropriate metric so much more efficiently by focusing on those decision points versus kind of building these detailed data reports that ultimately are required to support the decision. 

Brian Selfridge: [00:18:13] That's fantastic. And I know we could talk about risk reporting all day long. It's something I know you and I are both passionate about. I do have other things we want to get to, but I will make a short plug. I know we don't do ads or sales on this stuff. And so I don't mean it to take it that way, but I know Cliff and Team have developed a really innovative, really novel model for healthcare, cybersecurity, risk reporting, and so is some tech behind that and some process. And I definitely encourage you to reach out to Cliff and team if you want to learn more about that really, really cool stuff. So maybe we'll have you back for another episode sometime to talk through that in some more detail. But I do want to switch gears a little bit with you, Cliff, and talk about HITRUST a bit. I know that's just such an important topic for a lot of folks that listen to this show or maybe they just want to know more about it. In general, as I mentioned in your bio earlier, you played a really key, pivotal role in the development of HITRUST and the common security framework and responsible for architecting that. And so I have a couple of quick questions for you around HITRUST. So maybe just starting with going back in the day here and thinking about the inception of HITRUST back in its early days, probably 2007, 2008, probably somewhere in that ballpark, maybe. Just tell us, how did HITRUST in the CSF come about and what was really the driving need to create the framework and certification model in the first place? 

Cliff Baker: [00:19:32] Sure. It's I appreciate kind of delving into this topic. First of all, it really was born out of the. Expectations that regulators were setting for the industry. That said. Organizations needed reasonable practices to comply with HIPAA. And if you look at HIPAA it's got some broad topic areas, but the specifics around how you comply with a particular control area are not included in the regulations. And so on one, on one hand, we have this regulation that applies to the industry kind of broadly speaking, to go to regulatory agencies that are saying the way you comply with the rules to make sure you adopt the reasonable practice and there's no explicit. Kind of direction around what reasonable practice looks like for the industry and at the time. When we started the work on High Trust, really the prevailing standards in the industry were either NIST, which was really at the time this is really evolved and explicitly kind of focused on healthcare. But at the time it was really more applicable to government agencies. And so as we looked at applying, using this as a benchmark for reasonable practice and we were looking at organizations all the way from like McKesson was a global multibillion-dollar huge company down to physician practices and lab companies and just kind of really small mom and pop type organizations industry. 

Cliff Baker: [00:21:23] We had a really problem applying this broadly across industry, so that was a chance we had ISO, which again was a good framework, but it was lack some specificity and lack of specificity specific explicit to the healthcare industry international standard. But it was not what we could apply specifically to what EPA was asking from us. And then, you know, there were other there was assurance mechanisms out there like at the time the SSA 16 SOC one, which kind of resulted in some really kind of varied results in terms of assurance and what companies were reporting. And so we looked around, we didn't want to invent something new. We actually looked around and said, you know, in terms of understanding this reasonable practice, making sure we are on the same page as an industry, there was really no other option around. And that's when we decided to create the framework. 

Brian Selfridge: [00:22:23] So now that HITRUST has been around for as long as it has been and been adopted and achieved the levels of, I'll say, success, I mean, it's really been a fantastic resource for the healthcare industry in my view. With the benefit of hindsight, do you think that the promise of HITRUST has been realized? What's going according to the plan may be that you sort of envisioned back then? And maybe what how is how has things changed or maybe deviated from the original vision for the HITRUST model, if you had to kind of do a look back? 

Cliff Baker: [00:22:53] Yeah. I mean, generally, I believe it's been an incredible success. It's HITRUST built an organization around getting this content out to the market and then built an organization around supporting an assurance process. And the assurance process is so important. I'll get to that here in a moment. But I think it's generally been a huge success when you see organizations like Microsoft and Google, those kinds of brands paying attention. You know, there's a lot of satisfaction I get from kind of understanding and knowing that there are security professionals out there that are working at those kinds of brand new companies, very sophisticated companies that understand the value of what HITRUST offers the market. Certainly, I think this is a never-ending journey. So there's continuously areas for improvement and it will continuously evolve. But as I look back, I still there is no real kind of competition a if I look at just purely as a product, putting my CEO hat back on, if I look at trust as a product and the value that that product provides the marketplace, there is no competing option. And the reason I say that is one is I trust create an end-to-end security framework. So if I'm an organization that whether I get certified or not, it's irrelevant. But if I'm just looking for a framework to align my security practices around it achieves that objective. And then it has this assured assurance mechanism, which ultimately means that I can communicate how I'm doing against a framework to other stakeholders or other constituents. And those constituents could be a customer, it could be a business partner, or it could be a regulator. 

Cliff Baker: [00:24:51] And that's really important in our industry as well for multiple reasons. And so if you combine those two aspects of the product, the product, there is really nothing like it on the marketplace. And then I think if I look at what this is doing now around automating the delivery of the certification results, building more just-in-time certification products, I think the organization is looking at the kind of end-to-end assurance needs of the marketplace and seeing kind of adjusting. If you look at the way Legacy assurance works in the industry, right, like you get a report, you get an auditor to sign off on the report and then you send literally a report of hundreds of pages to another entity who's got to make sense of that. I think if you're looking if you're from another kind of profession looking in, you have to wonder like, what? What are you as security and assurance people doing? If you look at the way we exchange information today and just kind of understands it, that they're tackling that head on and they've released the product called Ideas that's going to deliver the certification electronically. Hallelujah. I like yeah, of course, you would. You would expect that. So. So I think just as if you look at HITRUST as a product for providing security information, providing framework, and providing assurance, it's still the best result out there. And I'm really proud of what I was able to accomplish. I'm really proud of what I just have been able to accomplish over the last decade or so. 

Brian Selfridge: [00:26:25] So we've looked back here and we've looked at the current state, but I want to look forward a little bit. I mean, I think it's safe to say healthcare is still waging a very much uphill battle in cybersecurity generally. Right. The number of breaches, the increasingly skilled adversaries we have, and all that. What role do you see HITRUST playing going forward? Do you see this evolving in any way? And how can I trust sort of help to solve the problems that we are facing for the next ten, 15 years if it's any different than what we're doing today? 

Cliff Baker: [00:26:51] Yeah, look, I think HITRUST is right in the center of from a risk management and communication between kind of relying parties, what kind of where it needs to be. And for this reason, when I started CORL about a decade ago, generally because I was engaging with my clients and I could see kind of this significant movement to relying on what we call vendors, but relying on software and service providers in the delivery of core services either to their patients or to their members health plans. And there was a time ten years ago where kind of vendors were kind of supporting cast members, like clinicians relied on use software, but at the end of the day they could fill out paper. The devices weren't necessarily connected to networks, medical device necessarily connected the networks. And so software vendors were supporting characters. That has changed completely over the last decade. And I could see that coming. And where it used to blow my mind is I would see my clients kind of investing all this effort and time and work into securing their environment and then creating a dedicated VPN connection to third-party, who I know was not making anywhere near the same investment. So it didn't make sense to me. You put all this effort into kind of the euphemism I've used in the past, or the kind of metaphor of use in the past, is you put all this effort into kind of securing the front doors and the locks, but then you leave the back door open.

Cliff Baker: [00:28:52] And so ultimately then it has a breach. Your reputation is a is tarnished and you have to handle all the regulatory fallout based on the breach. And so it made no sense to me, and that's where I really started paying attention to this topic. Well, a decade later, health systems and health plans cannot achieve their mission without vendors they've become so critical to the delivery of core operations that it's one and the same organizations, and their business partners and vendors are one and the same in terms of reliable, secure delivery of core services to patients and members. And not only that, we're in this economy where which is great from an innovation perspective, but different solutions can pop up. It seems like routinely, you know, in a SaaS model, offer up their product or service to the customer, and that can be turned on almost instantaneously. And so we're in this economy where. You. You really are going to almost anything you need accomplish. You almost assume that there's some sort of SaaS solution out there. And it's a matter of finding that solution, turning it on. Right. Figuring out how it gets integrated and figuring on the dependencies between pieces, figuring on how you're going to manage access is right now an afterthought. But we know that our clients are turning on these solutions very, very quickly and for good reason, right? Because they provide value to core services and business stakeholders want to leverage their value. 

Cliff Baker: [00:30:37] And so it's a long-winded answer to your question, Brian, but I think the whole delivery model of patient care and supporting members is now relying on third parties and the efficient exchange of information around risk information. Trust information is so critical now that organizations like High Trust are really kind of at the center point of making those transactions and making those relationships viable. Because if we don't have a mechanism like HITRUST, ultimately organizations will keep second-guessing each other. When they keep having breaches, they'll keep second-guessing each other. And in, as you've heard this cliche a lot, where there's uncertainty, businesses don't like uncertainty. Businesses don't like second-guessing what the outcome is going to look like. And whenever there's uncertainty introduced into a transaction, everything slows down unnecessarily. And so if we can create some certainty around trust and we can create some certainty around collaboration in the risk management space and security space, we enable commerce, right? And we enable patients and members getting better services, more sophisticated, more improved, more kind of evolutionary revolutionary services. Right. And so and so that's really kind of enabling that trust and exchange of information is key. And HITRUST is really the only mechanism right now in our space that can deliver that information. And so I think they're going to have a pivotal role going forward, even more so than they did a decade ago. And they'll be even more relevant, I think, for the next decade than they have been this past decade. 

Brian Selfridge: [00:32:29] So I'm really glad you mentioned sort of CORL and HITRUST in these intersections because you have the claim to fame of having built some really incredible businesses and really disruptive solutions for industry. You seem to have the knack for flipping these traditional paradigms in their head and driving more effective and efficient models for the industry. We saw that with HITRUST, saw with CORL. We've seen it in other spaces. Meditology, obviously. So my question to you is what's next? What do you have cooking in the next wave of innovation? What kind of solutions are you building now that are going to tackle some of those issues that you're seeing start to percolate these days? So to the extent that you're willing to share any secret sauce with us and what you got in the works. 

Cliff Baker: [00:33:08] Yeah, I think I still have a lot of passion and a lot of work to do in two main kind of areas. One is I'll mention metrics, reporting, and executive reporting between CISOs and their executive stakeholders and boards. I think the industry could really take a huge leap forward. The professional consumer could take a huge leap forward in terms of the way executives report information. We've seen the evolution of the CSO and healthcare really evolve, particularly over the last five years, from kind of technologists to business-savvy executives. And I think on that, evolution is really kind of along that evolution is really how you report and communicate risk to stakeholders. So that's one passion of mine. The other passion is really solving and working in this third-party space where we are really just the tip of the iceberg with respect to kind of the complexity and the issues and the challenges we're going to face working in this new vendor-supported ecosystem. It's really fascinating to me. It's really interesting. And we just seeing all new types of paradigms unfold just in terms of kind of the way cloud services is going to be delivered. One of my clients is setting up a virtual health system right where the patient essentially at their home is going to be connected to various devices, which are going to be managed as if they were in a hospital bed within the hospital. That's a really interesting paradigm. And all those core services are outsourced, everything from the clinicians to the systems that the patients hooked up to, to the connections back to the health system. Everything's outsourced. I've got another client where they're moving aggressively into the cloud. 

Cliff Baker: [00:35:12] So the EHR is moving to the cloud, but now they want to connect their device, kind of the medical device consoles and medical device reporting solutions. They want those in the cloud so they can connect the various solutions. So now I've got a cloud vendor, I got a vendor, I've got a medical device, I've got suppliers, all vendors, all kind of in this new ecosystem in the cloud. And it's my cloud. So it's really, really interesting. And the permutations that I could describe go on and on and on. But it's evolving really quickly and it's really complex and has a lot of complex challenges. And this one is a doozy. So I plan to keep at it. I think. I think. The way the risk has been managed in the past and in other industries as well. It's just not sane and not scalable and not sustainable. And so if I look at kind of the way the kind of the delivery of care and tools we're using is evolving, and I look at kind of the way we're managing risk and space, it's really up for major disruption and that's the sweet spot for me. And so that's what I intend to do. That's my swan song to the industry is to get this figured out. Let's figure it out in a big way. We've got to shift things in a big way. We've got to make some real radical changes. I believe I have a good beat on what those need to be and I intend to make that see that, see that happen. So that's my next mountain to conquer, so to speak. 

Brian Selfridge: [00:36:55] Well, that's great. I know you're already well on your way up that mountain, having had the privilege of seeing behind the scenes and how things are going. Just I'm super excited about where your solutions and your visions are sort of being translated into reality. And I can't wait till they hit the market so everybody can stay tuned for those. It's going to be awesome. And actually my final question is sort of along those lines. I mean, there's no shortage of good ideas out there for new innovations in cybersecurity as there's new vendors, meaning cybersecurity solutions providers that pop up every day and different tech solutions. So it seems like there are a lot of folks trying to solve this, but obviously, maybe not, obviously, but not everyone can execute on those visions and great ideas. There's a lot of sort of reimagining of old ideas that just isn't really solving the problem. So as for you as an entrepreneur in this space with several successful companies now, is you've actually been able to not only have great ideas, but make them reality and make them work in a scalable, implementable, operational way. What do you think allowed you to be successful in actually implementing those big game-changing ideas where so many others just really struggle to get traction? 

Cliff Baker: [00:38:02] It's a great question, Brian. I think I have a knack of kind of connecting dots and I know that we all have different strengths. That's definitely one strength I have is I can connect various dots. So in other words, I can see various pain points and I can see how they related and I can kind of picture how it's going to have those kind of pain points are going to evolve and the intersection between those related points. And so that's what I think that I have I think my parents and the DNA, they passed me, passed onto me for that ability. But I think I think having worked together for a while, hopefully, this is probably kind of an old story for me, but I think just listening really, really carefully and humility to acknowledge that you don't know all the answers has served me very, very well as an entrepreneur. And so I, even before kind of agile, was a thing. It's always been in my nature to kind of piece together what I believe is a solution and then start testing it, start getting kind of information out there, start asking clients tough questions about what they feel about it, and getting data points and adjusting getting data points and adjusting. And I'm always testing out. I'm always adjusting. And if I hit an obstacle, then I figure out what my adjustment needs to be and tested and tested and tested. And so that kind of iterative process has served me really, really well. And I think that's what's kind of allowed me to bring to market solutions that actually work because the first permutation of the solution does not work.  

Cliff Baker: [00:39:53] Right? And then and then I learned and adjusted and so continuously adjusting and then figuring out what I need to overcome the barriers to adoption or to success is, is what I do I think fairly well. But being modest enough to acknowledge that I don't know the answers. And there are a lot of smart people out there that have far more experience than me in various areas and have been humble enough to listen to their feedback, even when it's not flattering and even when it means I've got to start over or even when it means I'm off base has served me very, very well. And so, you know, there's an old kind of adage in our business, like in business, you know, I'll often have folks I work with will come back to me and they'll say, I put this front of the client and they loved it. And I'll come back and say, well, how much are they willing to pay for it? And all of a sudden, when you ask someone to pay for something, you realize that perhaps, maybe the feedback you got wasn't all that flattering or wasn't all that sincere. And so I think, again, what I've learned is to continuously probe and probe and probe and probe till I believe I'm getting the most accurate feedback I can I can obtain and then adjust and be humble enough not to just take the first compliment and run with it, but to keep probing, even when you think you're on the right path. So I know for me, that's the key to success and it's certainly very well. 

Brian Selfridge: [00:41:42] That's fantastic and hopefully some great words of wisdom for folks that are trying to break into the market or try to make their ideas get off the ground. So just fantastic. Appreciate you sharing those insights. And I would love to I could talk to you for another several hours or days. That tends to be how we are. But I want to get you back to your important business of making all this stuff work. And so I can't thank you enough, Cliff, for taking the time to be here with us today. My guest has been Cliff Baker, who's the CEO of Meditology Services and CORL Technologies. Cliff, thanks again for really taking the time, sharing these insights with us and we'll try to have you back again. Not that we won't wait another four years to check in with you and see how things are doing. But thanks so much. Really appreciate your time. 

Cliff Baker: [00:42:25] Yeah, Brian, thanks for having me Again. This podcast is an amazing resource in the industry. You've been doing this consistently for four years. I regularly tune in. This is how I get my information. I appreciate all you've done to kind of launch this and sustain it, and it's been an incredible resource for me and so many other professionals. So thank you. It's been fun. I appreciate you having me on. 

Brian Selfridge: [00:42:58] Again, I would like to thank my guest and dear friend Cliff Baker for taking the time to join us on The CyberPHIx. Cliff is truly a legend in our space and I'm honored and humbled to have had the chance to work with him and learn from him over the years. I hope you enjoyed the conversation as much as I did, or at least I hope you enjoyed Cliff's super cool South African accent, which always makes him worth listening to in my opinion, for sure. 

Brian Selfridge: [00:43:18] I also have a quick announcement to share with you. It is with truly mixed emotions that I want to let you know that this will actually be my final episode hosting the CyberPHIx Podcast. I have thoroughly enjoyed, thoroughly, thoroughly enjoyed the opportunity to bring this podcast to life almost four years ago now. I think when we started things up and be able to share with you my limited, albeit limited insights into the goings on in our field as best I can and try to let you know what's happening with our clients, with the markets, and all the different moving pieces we have to worry about. But as we grow here as a company of Meditology services and core of which I have a leadership role in both companies, I really need to shift my focus to more strategic endeavors. And it felt like it's about the right time to hand over the reins of the podcast to give you all a fresh and new perspective. So don't panic. The CyberPHIx isn't going anywhere. We're going to continue to produce episodes and continue in this format. 

Brian Selfridge: [00:44:11] We'll be stronger and better than ever under the supervision of my good friend and colleague Britton Burton, who will be taking over as the host of the CyberPHIx. Just to give you a little background on Britton, as you'll be hearing from him in the next couple of episodes and thereafter. Britton currently serves as the senior director of product strategy for both Meditology services and CORL technologies. And prior to Meditology, CORL Britton designed and restructured the risk management program for HCA, which is the nation's largest for profit health system, just hundreds of hospitals and huge health system. He also served in prior roles with HCA as the director of Information Security for their Mid America division, where he led the third-party risk management, risk management, incident response, and disaster recovery efforts there just among other responsibilities. Britton is one hands down, one of the brightest and most capable professionals I have ever met and worked with in our field. So I'm excited to bring him to you. If you haven't dealt with him or met him or learn from him. This is just a great opportunity and I've had the honor to know Britton for a long time, both as a client and then more recently this year as a colleague, and it's been a fantastic experience. I'm certain that you will learn a ton from Britton, just as I have, and continue to do. It will benefit from his fresh perspective, giving you a different lens on a lot of the topics that we talk about. From his experience having been an industry practitioner for so long and actually in a lot of your shoes, for those that listen to this I know are out there fighting the good fight and Britton's been doing that as well and he's been a great leader in healthcare cybersecurity field for so long. 

Brian Selfridge: [00:45:41] And again, I can't wait for you to hear from him and he'll be a fantastic host of The CyberPHIx. Now, this is not the last time you're going to hear from me, so I just want to be clear about that. If nothing else, we have a special episode coming up in the next few weeks where Britton's actually going to interview me, which should be a lot of fun and kind of share some thoughts on what I've seen over the years in the field. Above and beyond what you've already heard from me on this show, just in general. Also, while you may not hear my voice quite as much, you'll still get to hear my guitar playing as you listen to our intro and outro music here and from my band Steady State. You can check us out if you want to there at If you want to hear some more of that, just to give you a shameless plug for music. 

Brian Selfridge: [00:46:25] And finally, I'd like to express my deepest appreciation and gratitude to all of you, all of our listeners of The CyberPHIx over the more than 100 plus episodes that we've produced over the last four years. Your attention to this podcast, and your willingness to tune in, has been really inspirational for me as I've gotten feedback from listeners over the years and that they are appreciative of us putting this out there. 

Brian Selfridge: [00:46:49] And it means a great deal for me that you take the time to do this and to our team here at Meditology to continue to be able to produce this content, hopefully for the betterment of all of us in our community as we fight the good fight. I want to thank the many amazing guests we've had on the show thus far, and again, it will be many more to come just thank those guests for really paying it forward and sharing their insights. This is not a funded podcast. Nobody gets paid. There are no advertisements. Hopefully, you appreciate that part of it. So we've just strived really to bring you the best intelligence and guidance we could muster from both our amazing team here at Meditology and CORL, as well as just the incredible colleagues and leaders in the industry that have been willing to come on in and share their experiences and their lessons learned with you all and willing to take the time to do these interviews. 

Brian Selfridge: [00:47:36] So there will be many more amazing interviews and podcast episodes to come, and I'm excited to participate in those and frankly listen to them as well as on the other side of the fence here. And I know you're going to thoroughly enjoy and appreciate Britton's perspective as our new host for CyberPHIx. So with that, I will close, I suppose, with my usual tagline: So long and thank you for everything you do to keep our healthcare systems and organizations safe.