In an insightful episode of the Redefining Cyber Security Podcast, host Sean Martin and guest Dr. Saif Abed shed light on the critical intersection of healthcare and cybersecurity, highlighting the challenges and evolving threats in a rapidly digitizing sector. With Dr. Abed’s vast experience advising on global cyber resilience and policy, they explore the necessity of proactive measures in safeguarding patient care and the implications of current policies, making a compelling case for the importance of cybersecurity in modern healthcare.
Guest: Dr. Saif Abed MD, Director of Cybersecurity Advisory Services, The AbedGraham Group
On LinkedIn | https://www.linkedin.com/in/drsaifabed/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
___________________________
Episode Notes
In this episode of the Redefining CyberSecurity Podcast, host Sean Martin welcomes Dr. Saif Abed, who brings a wealth of experience from both the medical and cyber security practices. Specializing in the interface of healthcare and cybersecurity, Dr. Abed discusses the diverse challenges and evolving threats faced by the healthcare sector amidst rapid digitization and the global push towards electronic health records and connected medical devices.
Dr. Abed provides insightful reflections on the state of cyber maturity across nations, emphasizing the diverse stages at which healthcare systems find themselves in terms of digitization and cybersecurity readiness. He underpins the conversation with examples from his extensive advisory roles to technology companies and governmental agencies, especially during critical times such as the pandemic.
A significant part of the discussion revolves around how healthcare entities are digitizing faster than they can secure their systems, making them susceptible to attacks such as ransomware. Dr. Abed criticizes the reactive nature of policy and regulation, suggesting that it often lags behind the threats, posing an ongoing challenge for healthcare providers to maintain patient safety and care quality.
The conversation also explores the implications of policies like HIPAA and the importance of adopting a global treaty to address cyber attacks on healthcare organizations. Dr. Abed argues for a balanced approach — 'carrots' for providers and 'sticks' for vendors — to enforce better compliance and ensure the sustainability of digital healthcare ecosystems. Through a blend of personal anecdotes, professional achievements, and expert analysis, Dr. Abed offers a nuanced understanding of the intricate relationship between healthcare delivery and cybersecurity. His call for more resilient and proactive measures highlights the urgent need for alignment between healthcare advancements and cybersecurity policies to protect public health on a global scale.
Top Questions Addressed
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
Inspiring Post: https://www.linkedin.com/posts/drsaifabed_dr-abed-who-cybersecurity-publications-activity-7158569953263042561--Gi3/
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring this show with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Crossing Borders: The Cyber Pulse of Global Healthcare | A Conversation with Dr. Saif Abed | Redefining CyberSecurity with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello everybody. You are very welcome to a new episode of Redefining Cyber Security podcast. And this is your host, Sean Martin. Of course, if you're, you're watching, you see, I have a, a cool guest joining me today. Uh, you don't know who it is. Uh, maybe, maybe you do. Uh, you might've seen 'em online, LinkedIn, which is where I often get a lot of my inspiration.
Um. Um, Sadly. I spend a lot of time on LinkedIn hearing what people talk about and share and, uh, I have my own thoughts as well. Um, many of you know that I have a deep appreciation for the healthcare sector. I. I've spent a lot of time looking at this, uh, world, mainly from a compliance perspective, uh, and a risk management perspective.
But ultimately it all boils down to how does that impact the patient and the care that, that they get or don't receive in some cases. And, uh, I'm thrilled to have Dr. Saif, Abed, uh, join me today. Doctor. Thanks for, thanks for being on the show. [00:01:00]
Dr Saif Abed: Oh, it, it's great to be back and, uh, I, I look forward to discussing all things healthcare, cybersecurity, and beyond.
Sean Martin: Yeah. And, uh, I'm, I'm thrilled because you have, you have a unique perspective and, uh, you get, you get to get involved in a lot of different things. And, um, so I'm, I'm thrilled to have this conversation again with you as well. Uh, we're gonna talk all things. Policy, current state of affairs, uh, look at things from a global perspective.
And, uh, before we do that though, doctor, uh, for those that didn't catch the last episode, I can't remember when that, when that was a few years back now. Um, a reminder of who you are, what you're up to, and uh, yeah, a little background would be helpful. So thanks very much for that.
Dr Saif Abed: Sure. So my name is Dr.
Saif Abed. I'm a a medical doctor by background. I, you know, I, I practiced, uh, medicine in, in the uk. Um, but for the last 12 years I've run an organization [00:02:00] made up of clinical people who are looking at risks in technology and essentially cyber security and risk management as a consequence. And, um, I've been very fortunate to have a career where I've.
Been, uh, an advisor to most of the large technology companies in the world, um, that your audience would've heard of. But I would say more impactfully. Uh, many government agencies, um, national government and global government agencies, uh, especially during the pandemic. Um, I've advised on cyber. Diplomacy, cyber security, cyber resiliency on everything from hospitals all the way through to kind of a chemical, biological and radio nuclear facilities.
Um, in terms of understanding how we address risk there. And then more recently looking at things from a diplomatic perspective. How do we get more diplomatic unity on the subject of cyber security and public health? Um, that's kind of me in a [00:03:00] nutshell.
Sean Martin: I love it. You've only scratched the surface in terms of the things you you're talking about there, but I'm sure that a lot of deep, deep conversations, uh, that impact a lot of people, uh, around the world.
And, um, I, I wanna start here and I, I'm gonna start a little philosophical 'cause Marco and I did a live livestream the other day and we talked about this world of technology kind of taking over our lives. Where in this. Utopian, dystopian every one of you. It world, we end up where everything is done for us.
We don't have to touch anything. We don't have to smell anything. We don't have to taste anything. It's, it's just all there done for us by technology. Right? We can, we can start to see some of that in autonomous vehicles where you just sit down and you don't push a gas pedal, you don't steer the wheel, you don't do anything.
You just listen to music, watch telly, whatever. Um. I, I use that [00:04:00] 'cause in that conversation we also talked about electric vehicles where there's regulation out of the uk and consumers are not the, the manufacturers abided by regulation and set up EV manufacturing, but the consumers are not buying the vehicles as fast as the manufacturers thought they would based on the regulations.
Policy was developed to drive. An action in society marrying, uh, manufacturing and, and consumer building products or manufacturers with, with, uh, consumers. One end didn't held up their end of the bargain, the other didn't. So I, I use that as a, as a launch point to kind of get your view on policy.
Cybersecurity and healthcare. Do you see a world where things are lining up and all parties are playing nicely together toward the same thing? Or how, how does that look? [00:05:00]
Dr Saif Abed: Um, the easy answer would be to say no, but it's, that's too straightforward of an answer, right? The, the reality is every nation in the world is at a different stage of its cyber maturity.
Um. Before that, it's at a different stage in terms of the digital maturity of, of, of its health system, let alone the cyber side. Um, I would say the, the issue around policy and compliance is that it lags the threats that an industry faces, right? So we've had ransomware for so long now happening in healthcare, but very often where a nation is dependent on regulations that were created pre the real age that we're in now, before ransomware became the big deal as it.
Regulators, policymakers are playing this really difficult game of catch-up. Um, and a lot of the time they face the challenge of [00:06:00] having to depend on industry because on the one hand, they understand that there's this objective to protect patients, to protect public health, but there's this understanding that the very healthcare organizations that need to abide by best practice have budgetary.
But also they don't want to price suppliers out of the market. And obviously every supplier is gonna save regulations too expensive. So we're in this challenging position where things do move too slow. A lot of regulations are outdated. The capacity for healthcare organizations to adopt the regulations, um.
Sometimes it's challenging and you get the push back from industry. All the while, the threat actors, there's nothing stopping them, you know, uh, their, their foot is down, they're going 120 miles an hour, looking for targets, attacking, um, getting outcomes, getting, getting ransoms paid, and. Beyond, and that's the constant problem we're facing right now.
Uh, I would say in terms of [00:07:00] regulation and policy making different stakeholders versus the threat landscape we're actually in.
Sean Martin: So I know this is very, uh, US oriented, but uh, and I mentioned, mentioned this before we started recording, but HIPAA High-Tech was, for me, I felt like a very strong driver for awareness and had.
Had some teeth in terms of, here are the things you need to do, and if you don't, there'll be penalties and, and fines and things like that. Mm-Hmm. I, I, I, I think it moved certainly the awareness needle, potentially even some of the internal policy and controls needle. Um, but your perspective on how successful that was and perhaps.
Changes in national and international global policy, um, in relation to that. Have, have we learned anything from that? Uh, are we doing things differently or what's that world look like?
Dr Saif Abed: [00:08:00] Um, I mean, I, I think policies like HIPAA that, uh. Have punitive measures associated with them and have relatively clear language on, at the very least, certain issues around data breaches and increasingly interpretations, clear interpretations around ransomware and whatnot.
So I, I think standards and regulations like HIPAA, um, do move the needle. They're important, they're necessary.
Uh, what the challenge is, is that there's not enough awareness of the, of the fine details of these regulations. And one of the big challenges also is that these regulations were created often. Well before, uh, the period we find ourselves now in terms of the cyber security age and the cyber threat landscape that we are in.
So we do have issues of awareness and education about these regulations. These regulations probably do need to be revamped. They do [00:09:00] need to be revisited. Uh, but the policymakers. They have a challenge. They're playing catch up. And that's not unique to, to the United States. It's, it's worldwide. Uh, every nation is attempting to figure out the, the pace of digitization of its healthcare system.
Uh, every nation is trying to figure out how do we protect these systems? There's a big gap between the increase in digital maturity and the playing catch-up of security maturity. I've written a lot about that. I have a nice little chart that I've, uh, I've drawn, I share on LinkedIn, or whenever I give lectures, I bring this chart up and everyone immediately gets it.
I. It's like what you just, I think you were describing it before. We love using digital technology, but we only think about the risks when things actually start to go wrong. We don't think about it proactively. So I think that's a similar issue in terms of the development of regulations and standards and how they're actually enforced in an industry.
Sean Martin: Yep. And, and I'm, I'm reaching back [00:10:00] into the, uh, the confines in my memory, but I, I think there was one thing, I believe it was in high tech that, uh, speaks to. Readmissions or the, I guess my point is the, the focus was on the outcome for the patient. Right? So a lot of the, a lot of the stuff that it spoke to, it was clear that it was to not, not make bad decisions and, and whatnot and, and providing the care such that the patient would have to come back because it costs money and, and all that kind of stuff to do that.
And it's not good for the patient, of course, either. Your thoughts on that? Do you, do you think we as a, as a world, and I don't know if some places better than others, I'm sure, but as a world, do you, do you think we have that view still in mind? 'cause in, in the, generally in commercial space, it's, what are the threats?
What policies can we do to, to [00:11:00] understand how those threats might impact our business? And we can begin to apply some controls, which is HIPAA, but it's very tech control-driven with, and hopefully we achieve the outcome for the business that we want, versus here's the outcome. How do we, how do we get there?
So your, your thoughts on that from a health, health policy perspective.
Dr Saif Abed: Yeah, unfortunately we have still not figured out that healthcare is the business of looking after patients and ensuring they have good outcomes. Unfortunately, uh, it it, it seems counterintuitive like yes, the doctors, the nurses, they get it.
Let's, let's talk, talk about that. But I think a lot of executive leadership in healthcare organizations around the world, um, are still trying to balance the books. Look at budgets, look at profitability, look at reputation. And yes, they may acknowledge that outcomes of patients are a part of that, but they, I don't [00:12:00] think, well, no, I, I know for a fact I would say that when it comes to cyber security, they're not giving cyber security at a technical level enough attention, let alone seeing the connection with, uh, patient safety and negative outcomes.
I mean, I've defined my career by. Analyzing, understanding, advocating and raising awareness of this issue. And unfortunately, it's only when, for example, a ransomware attack has happened and ambulances have been diverted for critically ill patients. We're talking heart attacks and strokes. It's only when the bad stuff actually happens that the executive leaders, governmental leaders.
End up being forced to, to pay attention. Um, so this is a huge issue and we are nowhere near fully understanding the, the scope of the problem and the impact. And if I may, one of the common issues is people want a very direct outcome. They will, they'll say, Dr. Abed. Show me a cyber attack and [00:13:00] show me someone who died and then I'll understand the outcome.
Whereas actually, it's very often the impact is far ranging and in many ways more critical. We're talking about, I always use the example, if you have someone in an ambulance who's suspected of having a stroke, they have a three hour window for being treated. You delay their treatment. That's the difference between full recovery and being half paralyzed for the rest of your life.
That's the, that's the level of detail that we simply haven't understood. We're at. We haven't counted the delayed cancer diagnoses, the delayed cancer treatments, the delayed surgeries. So I could go on and on, but you get, you get my drift, I suppose, on this issue.
Sean Martin: Yeah. And I, and I know in, in the States, it's, uh.
Routine that people pull over when an ambulance, uh, is passing. I spend quite a bit of time in Ireland, not not always the case, and then certainly in, in other, other countries in Europe that I've been, it's, you don't always see the, the cars pulled [00:14:00] aside. I don't know what it's like in the uk. I can't remember in experience there, but I guess my point is that's a policy or at least a societal thing that says, to your point, we wanna help that patient get.
Get there fast. Uh, so we're gonna do this good thing. Um, so I can relate that to cyber security. I want to, I wanna, you, you, you mentioned ransomware and, um, uh, the, your post on the, uh, WHO uh, papers that came out, uh, was a trigger for us to connect. And, um, ransomware was mentioned in there quite a bit, in, in a big chunk of, of the papers and.
I have a few thoughts, and one it's first is, and this isn't a question to you, and it says just more of a thought, why is this still a problem, ransomware, um, and in terms of a problem to be solved, and two, why is it still a problem that, that we [00:15:00] haven't figured out, um, ways to deal with it and other ways if we can't solve it with technology from vendors and whatnot.
Um, and then the other. Point is, I've had a couple conversations where I've heard folks say that that ransomware numbers in terms of the number of people paying is Diminishing, the prices are going up for those who do, but the number of people paying is, is lessening. And I guess your thoughts on how big of a deal, is it still in healthcare?
Is it, and, and why? Is it because of the potential? Extreme outcome that, uh, it is still an issue. If it is,
Dr Saif Abed: it's a huge deal just because healthcare is tremendously weak and susceptible to ransomware attacks. It's really that, that simple. The, the attackers are looking for the easiest targets. And healthcare unfortunately continues to have some of the easiest targets at scale.
Um, a big part of that [00:16:00] continues to be that healthcare is digitizing faster than it can secure itself. Um. Healthcare is at an infrastructure level, historically has been a laggard compared to other industries in terms of digitization, and it's only going through a very accelerated phase of digitization during the last five years and beyond.
And as a consequence, um, your ransomware gangs, your cybercrime groups, they're saying constant expansion of the threat landscape or the opportunity landscape as far as they are, uh, concerned. Um. And combine that with lots of historical infrastructure, legacy infrastructure. It's just, I mean, just healthcare continues to be a right, a ripe target.
Uh, for this. Uh, I've seen different studies about, uh, numbers of payments of ransoms being paid. Uh, sure that is undoubtedly, uh, true. Um, however, healthcare specifically. I mean, even, uh, recently, I mean, in Romania [00:17:00] I saw an article about twenty-eight hospitals being affected by ransomware attack. You know, as we speak, or very recently, I mean, every few days I'm seeing news about a disruptive ransomware attack on a major hospital or a group of hospitals.
Yeah, it's, uh, it's an ongoing problem, uh, the steps to figure it out. I, I'll tell you one thing that's really important, buying more security technology is not the answer. If you have nothing, sure you should invest, but actually training your people, your doctors, your nurses, your hospital managers, your staff to know what to do when things go offline is, in my opinion, more important.
Can you still look after patients in a seamless way by transitioning to alternative workflows, even if they're paper-based, but in a way that's smooth and trained. The same way that if there's a natural disaster or a terrorist attack, major hospitals know what to do to deal with the influx of patients.
Are we training our staff and hospitals to know what to do? 'cause for all the cyber tech you can buy, at some point it won't be enough. Right? So we have to be [00:18:00] prepared. I think that's a big issue.
Sean Martin: So interesting. Um, of course it makes sense if, if you don't have the digital, you revert back to the paper.
But I guess is the, is the view for many executives that were going digital, therefore we eliminate paper. Because I know a lot of, a lot of early days. Uh, derived to the cloud and like e-signatures, when I think their biggest selling point was ditch the paper, right. For, for signing things. Um, it, it, I don't see a world where they, they have paper at the ready for those non-digital workflows.
Dr Saif Abed: I would say that most many executives and many hospitals don't even know what their backup workflows are. I don't think they even know if they have paper or not. I don't think they've necessarily even made that decision themselves. Someone somewhat, someone in each department may have made a departmentally specific decision, uh, but where [00:19:00] it matters most and where accountability stops at the executive level, I think many places they, they don't even know, unfortunately.
Um, I think, uh. That becoming a paperless hospital or a paper light hospital has been great from a branding perspective for many healthcare organizations without thought as to, okay, how do we recover if the digital doesn't work? Or if the first line digital technology stops working, do we have backup digital technologies with, you know, maybe the, the last stepping a full, you know, revert to paper?
But I, I, unfortunately, I don't think most executives from my experience, um. Have had that level of knowledge or, uh, insight on their organizations?
Sean Martin: Yeah, so I, I know in, um, in a lot of, just, not just specific to healthcare, but a lot of stuff that I've seen and worked on last year or so has been around the, the concept of being resilient.[00:20:00]
Which of course means uptime, um, and kind of having these backup plans in place, if you will, um, is, is that a focus for policy leader, policy makers and, uh, standards definers and, I dunno, have you, have you seen much movement in, in that front?
Dr Saif Abed: Um, I, I would, I would separate the standard. People from the policymakers.
I think especially, uh, given we're in a more dangerous age in the history of mankind currently with all the things happening in the world, um, it is, uh, without a shadow of a doubt, um, governments are worried about the resiliency of their critical infrastructure. Uh, there's no doubt about that. And so I think that their approach to achieving resiliency is through allocating bigger budgets, um, to different parts of the [00:21:00] economy.
The question, though, the question mark that always persists is whether their allocating the budget but actually know how the budget is being spent. And what outcomes and deliverables do they expect? Uh, and that requires understanding people and processes as much as it does, uh, technology. So I think the policymakers, yes, there, there is movement.
Again, different levels of maturity. The standard setters, as I mentioned before, it takes so long to set a standard, let alone to then go back and review it and review it with different stakeholders in a multidisciplinary way. Tremendously challenging. So I think they want to make sure their standards are fit for the modern age, if you will.
How long it takes to achieve that is a different story, unfortunately.
Sean Martin: Yeah. And earlier you mentioned, I, I wanna bring this up now, you, you mentioned the fact that healthcare entities are [00:22:00] digitizing faster than they can secure. So I'd like a picture of what that looks like. I mean, on the broadest stroke, I could say that means from paper to digital systems obvious.
Mm-Hmm mm-Hmm. Or some digital on-prem to the cloud might be another, another transformation that that takes place. Um. But I think, I think there was, there was certainly a lot of big changes with the pandemic. We had remote. The move to remote healthcare? Uh, I think there's a lot of work in, in the, uh, the pharma space for clinical trials and, and bringing new, new materials to, or new vaccines and, and things to market and getting the, the information out to everybody and who has, which vaccines and how many did they have, and all that stuff has to be digitized.
So I think we see a lot of changes there. But [00:23:00] I know there's also things like. Broad views of other, um, epidemics or hopefully not another pandemic, but, but other, other trends of bad things happening to people, certain ages, certain ethnicities, certain regions, whatever. And also in the opposite trend of trying to, uh, find ways to provide, uh, precision mm-hmm medicine precision care to folks, um, where you can treat a specific thing.
Based on their, their makeup. So are, are some of those still trends and are those the forward-moving things or, I guess those are my ideas. What, what's the current state of transformation in healthcare that that's really driving the, we're we're doing things faster than we can secure them. Yeah,
Dr Saif Abed: yeah. So globally, so just outside of the United States for a moment, globally, it's still a big shift from.
Paper to electronic health record systems, [00:24:00] that's still a big deal. Um, and. For those that have already made that transition to electronic health record systems, it's adopting more and more of their modules until you are truly approaching what would be considered a, a paperless state going beyond that clinical decision support tools.
So I, I wouldn't call it ai that, I'm not gonna say it's that, but using automation to streamline. Decision making and, uh, to complete manual processes, even if they're digital, to do that in a more automated, templated, uh, way, that's a, a huge development. You mentioned the work from home or remote working aspect.
Digital radiology, digital pathology, digital diagnostics generally. Has been a big deal. Um, and that doesn't just mean, uh, clinical staff working from home, but instead of having to see a, a doctor in a hospital, seeing them in your local c you know, a community center or in a office in a mall, these kind of [00:25:00] things have been huge developments.
On the research side. Yes. Now this is where we get into supercomputing quantum computing data analytics, that that whole, whole new, it's not a new world because they, they've been buzz phrases for a long time, but I think they're graduating from being buzz phrases to, I. Reality actually. Uh, now in, in many ways.
Uh, and then the final one, which has been really popular recently is a topic of conversation in the security world. Connected medical devices, um, IOT or internet of medical things. Um, that's just expanded the surface area. And I, I think the, the final rationalization is. There's a lot more outsourcing that might not sound like a technological development per se, but there's a lot more, more outsourcing of the enterprise to third parties, and that just creates, uh, the, you know, the supply chain threat.
So lots of developments there. A lot of 'em are truly positive. I mean, they are enhancing the quality of care, the [00:26:00] power of medicine. You mentioned precision medicine, population health analytics, but unfortunately they're often done without enough. Coming back to your previous question, resiliency being b baked into them, um, as they're being adopted.
But those are certainly all powerful trends.
Sean Martin: Yeah. So we, with that, we, I mean, I think we've covered Resiliency and, and certainly with it, but we didn't, I don't think we said privacy, but certainly that's baked into there privacy for him, the. The third piece of the wheel for me is integrity. And I know the, the paper also also speaks to misinformation.
Um, I think it's, it's more targeted to efficacy of treatments and things like that during the pandemic, but I, I think there were lessons in there just for misinformation in general. Um. And with that comes data [00:27:00] integrity, um, and things like that. So any thoughts on that?
Dr Saif Abed: Yeah. Well, yes. I mean, a lot, a long time ago, if people dig into my LinkedIn history, um, there's a period of time where I spoke a lot about data integrity, and I talked about the evolution of ransomware potentially becoming something, what I would call the clinical integrity, extortion attack instead of.
You know, making things unavailable. You tamper with things like drug doses or mix up people's medical records and other terrible things that you can imagine. But holding an organization to ransom based on that threat, uh, frankly, uh, ransomware is too easy right now. So the threat actors don't need to get that sophisticated.
But we've seen examples of, uh, attempted attacks on water treatment facilities in the U.S where compositions of the water treatment components were altered, and only because an engineer caught it at the, you know, very late in the day that they avoided anything actually happening. So, actually, [00:28:00] in the real world, this has been attempted now, um, and in a way that would threaten public health.
So I, I, I, I do think it's a concern. Um, is it a concern that. The healthcare executive needs to be aware of today. I think we need to help 'em take baby steps first, uh, with issues like ransomware before we go further, but for those working in national security, global security, those in law enforcement, intelligence agencies, academic communities, yeah, I, I think this should, this is something they should be exploring and have, uh, at the top of their list.
Uh, again, as I mentioned before, cybercrime, cyber warfare, especially when you get into the more cyber warfare side of things. Uh, this kind of a threat, it's a true weapon. Um. That we should be cognizant of as national critical infrastructure, uh, experts.
Sean Martin: So the, the, the big, the big question, and maybe we can start to wrap up this one, is, [00:29:00] I mean, in, in general it's a super complex topic, cybersecurity, right?
And then healthcare is equally, if not more complicated when you start thinking of all the different ways that, that somebody can be treated and, and, and whatnot. Um. Who, how, where can we, can we make progress with ensuring safe healthcare? Delivery. Um, yeah,
Dr Saif Abed: it's, it's a great question. It's a great question.
Uh, if you've, if you've read the, the papers that I, I was the lead author on, uh, when I was, uh, advising the World Health Organization. I'm speaking in an independent capacity today, of course, but I'd encourage your readers to look for those papers. They are quite significant papers. Uh, you would see that I have two views on this.
Uh, on the one hand, it's very much engaging. Hospital leadership, private sector leadership in the life sciences [00:30:00] space. And I don't mean, you know, you're cybersecurity leaders. I. CEOs COOs, um, people in those uh, capacities to really get them to understand the risks and invest in their organizations, um, uh, cybersecurity, but tying it directly to outcomes, the outcomes of patients, the outcomes of their clinical services.
Uh, I would also encourage engagement with things like chief nursing officers, chief medical officers, 'cause they're the ones ultimately when things go wrong, they're the ones who have to. Advise the rest of their staff, this is how we're gonna do things. Or are we gonna stop seeing patients altogether 'cause it's become unsafe.
So that's a very operational, dare I say, pragmatic side. The more ambitious side of me feels we need a global treaty to address this subject. Um, uh, I know many nations in the world don't necessarily see eye to eye right now, uh, but at least some nations should, should reach some. Global acknowledgement, some global [00:31:00] announcement that cyber attacks on healthcare organizations, it's a bad thing.
We should not accept it. And if possible, almost like a, a Geneva Convention, even between countries who are not seeing eye to eye, they should agree that that's off limits. Again, I'm being very maybe utopian in the whole thing, but. You have to start with small steps and having something written down where everyone's agreed that this is actually a bad thing for the world and for public health and patient safety at a global level.
I think that's where we need to be. It's been achieved in other contentious areas. I don't see this as a contentious area. Um, it's just about getting people around the table to address it. So that's where my ambition sits in the answer to your question.
Sean Martin: I, I, I love both of those views and for me.
Sometimes, even if, even if you don't reach the ultimate objective, the written-down-we-all-Agree part. If you're having a conversation with, even [00:32:00] with some disagreement and an understanding of areas of agreement and disagreement, that's a whole lot better than not having that understanding. Right. Um, in my view anyway.
Um. Marco, my co-founder is not here to stop me from the One more question. 'cause he, I think it's in this context of who and where. So you have the global and you have the, the provider, but there's this middle layer called the ecosystem filled with tons of stuff, right? It's the providers of the software and the devices and the, and the, uh, the systems that, that contain the EHRs and.
My question to you is the, the role of third-party risk management, supply chain security, and all of this, um. Clearly a part that needs to be addressed, but how, how do we get a handle on that? 'cause stuff comes from everywhere. And to your point, a lot of things [00:33:00] are being outsourced and even software services are being outsourced with third-party services and things like that too.
So your view on, uh, third-party risk supply chain?
Dr Saif Abed: Yes. So whereas with healthcare providers, I'm more in favor of the carrots with the ecosystem as you describe it. I'm more in favor of the stick. Uh, I. Significant fines should be levied. I believe that, uh, vendors should be barred from procurement opportunities that are operating in markets if they don't meet, uh, a nation's standards.
Um, I believe that senior leadership should be held accountable in, in courts or regulatory tribunals, um, because until your peer group sees that you can get in trouble for not addressing risk. They will not address risk. Um, and I say this unfortunately, from seeing it and being the type of person who's brought in, albeit as a consultant to help mop up the mess.
[00:34:00] So I, I, it's a very blunt, but it's my simple answer, carrot with the providers, uh, you know, uh, for the most part. Uh, but stick with industry I think is necessary. And I work with industry a lot. Yeah. So it helps them get them on board when they know there's a stick.
Sean Martin: So part two of that question, 'cause I don't wanna add another one, is to date the providers have been the, the party responsible for ensuring the level of risk is, is managed right on, on behalf of the vendors.
So they're the ones responsible for the. God, God saved them. That they, the questionnaires, the endless questionnaires from thousands and thousands of vendors, and then trying to make sense of all that to then make a decision which vendors to use. Um, so how you mentioned following some standard and, and you don't meet, if you don't meet the standard, you get approved.
That, that seems to me like some [00:35:00] UL lab type. Or what? What are you thinking there?
Dr Saif Abed: So, the hospital should be responsible for the safety of its patients and the quality of its services. And it is responsible for buying the technology, ensuring it is thoroughly vetted and it is safe, and that they have, they have processes in place to ensure if the technology fails that they can maintain safe and quality care.
They cannot abdicate that responsibility. However, um. When they are going through a procurement process and they define, they should be, have far more awareness, say we want you to meet the following X, Y, and Z standards. If you meet those standards, you will maintain meeting those standards over the next 2, 3, 5, 10 years of a contract.
And additionally, and this is something I do advise healthcare providers to do, is to make it clear what their expectations are of a vendor if things go wrong. If their technology becomes unavailable, whether it's due to a fault of the vendor [00:36:00] or a malicious act, or we're talking about cybersecurity after all here, there should be an expectation of the type of support that will be provided by a vendor.
Um, if a vendor then in the course of having been procured, does not meet those standards. The stick needs to be brought out by the regulator, by the healthcare provider? Both. Um, because you procure, ultimately it's a pen and paper exercise. If the vendor said, we will meet all these standards, here are our accreditations, until they get audited where the event happens, it's quite difficult to test.
So I think that's why it's so critical. So provider has very clear responsibilities that I've outlined, but the vendors. They have responsibilities that they say they'll fulfill at the time of procurement, and there needs to be, that needs to be done. And if it's ever found not to be, um, or they are at fault for certain risks that they said that they had mitigated, then clearly there should be [00:37:00] standards and enforcement, um, or interventions from.
From policymakers, a healthcare provider to ensure the industry understands that this will not be tolerated.
Sean Martin: Yeah, yeah. And I think there, for me, that's the, I'm not putting you on the spot, but I think that to me that's the sticking point. Uh, 'cause it is the industry and it one-on-one, it's feasible, but for one-on-one.
Many on many. It becomes un unreasonable, I think to expect every provider to assess every, every vendor and hold into accounts. And, and, and then there's zero live, it seems to me zero liability on the vendor side at this moment. Sorry, vendors.
Dr Saif Abed: Well, it's, I I think that's a very powerful point you make. Uh, at the end of the day, for many of the providers I've.
Engaged with, they have a shortlisting process. They end up with three selected vendors for whatever procurement they're doing, and then they pick one. And there's so [00:38:00] many aspects to negotiate commercials and everything else. And to some extent, security is relegated a little bit, but it's addressed a little bit.
But then when security does become an issue, it's a really, really big issue. Um, and that is difficult. And very often vendors find a way to point, point at certain fine print that. The providers couldn't get past. Um, so we need more support from the regulators on this side. Yep.
Sean Martin: Ah, the regulators. All right.
Well, doctor, it's been been a pleasure. Been a pleasure. I, uh. Super, super fun having a chat with you. Um, thanks for your insight on kind of the, the global view of policy, the global view of, of the direction of, of change in the industry and. Hopefully, hopefully policy and controls and, and risk line up little more closely with, uh, the, the speed with which we're advancing.
We need to advance it [00:39:00] because we want, we want better healthcare, so we can't slow that down. But, uh, hopefully the rest of it kinda, kinda catches up soon.
Dr Saif Abed: I, I hope so too. One can only dream. That's
Sean Martin: right. I'll dream right there with you. All right, well, well. For those, uh, listening and watching, uh, as usual, uh, I'll put a link to the post from Dr.
Abed for the papers that were referenced here. And, uh, any other resources, uh, you want us share, uh, doctor, we'll, we'll include those links as well. And if you have thoughts on any of the points we talked about, I would encourage you to, uh, to comment and, uh, presumably, you know, somebody who has thoughts as well.
So please share this with, uh. With your friends and your colleagues and maybe even your enemies, I like to say. But, uh, doctor, again, thank you so much for, for joining me. Uh, not the last time you'll be on, I'm sure. I, I have a feeling we'll, we'll have many things to talk about over time, so you're very welcome back anytime and, uh, hopeful.
Hopefully we'll see you again [00:40:00] soon.
Dr Saif Abed: I've enjoyed it and thank you so much for having me.
Sean Martin: Thank you.