RNS_ Greg Garneau: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Ed Gaudet:
Welcome to Risk Never Sleeps, where we meet and get to know the people delivering patient care and protecting patient safety. I'm your host, Ed Gaudet.
Ed Gaudet:
Welcome to the Risk Never Sleeps podcast in which we discuss the people behind protecting patient care. I'm Ed Gaudet, the host of our program, and I'm pleased to be joined today by Greg Garneau, Chief Information Security Officer for Marshfield Clinic, an integrated health system with 11 hospitals and 60 clinics whose mission it is to enrich lives through accessible, affordable, compassionate healthcare. Welcome, Greg.
Greg Garneau:
Hey, Ed, thanks so much for having me. A pleasure to speak with you today.
Ed Gaudet:
Yeah, no, excited to hear more about you and your background. And I know our listeners are looking forward to hearing what you're up to at Marshfield Clinic.
Greg Garneau:
The clinic is one of the nation's largest rural health systems. We also have, in addition to the hospitals and the clinics, we're a world-class research institute, as well as a health insurance plan. So all of that falls under my purview. So there's never a dull moment in our world.
Ed Gaudet:
It keeps you up at night. So how did you get started in healthcare, specifically IT or cyber?
Greg Garneau:
So I've been in IT and security for over 25 years and have been living in the security space for, I don't know, the last 10 or 12 years. And oddly enough, we were looking to make a move, and we have vacation cabins up in northern Wisconsin and had to take our daughter in who had strep throat or a sore throat. And my wife said, Boy, these folks are really technologically advanced. Have you thought about looking into them? And that's where the that was the genesis of my discussions were wanting to start to come work for the health system. So we talked to them and made the move from Atlanta up here to central Wisconsin.
Ed Gaudet:
Wow, and you've been there eight years?
Greg Garneau:
I think so, yeah, eight years. In April, we'll start our ninth year. So it's been it's been great, and thankfully, everybody in the family has enjoyed winter sports, and they didn't mute me on me, so that was great.
Ed Gaudet:
So 25 years is a long time to be in cyber. What go you in there?
Greg Garneau:
... IT and cyber so, but it was happenstance that I got into the IT world. I had an opportunity to go to work for AT&T Global Information Systems back in the mid-90s, and that's where I got the bug for computer networking and systems and architecture, and the career transformed into what it was in the early 2000s. Started working on holes into network security at that point and then eventually found my way into full-time cyber security work. And it's a passion, I absolutely love it. I think I really found my niche in healthcare cyber security. I loved the mission, I loved the mission of protecting the things I really find value in the work that I do. It's definitely reaffirming.
Ed Gaudet:
Yeah, it's such a great opportunity to experience a shared mission with customers. And it's unlike any other industry I've ever been in. Healthcare is very unique and very special.
Greg Garneau:
Yeah, it's also good to be surrounded by talented folks who share your same passion.
Ed Gaudet:
Exactly. Yeah, it's like that. North, the North Star for folks. It keeps everyone aligned and working together around the same direction. With such a large organization, what keeps you up at night? What are the things you worry about?
Greg Garneau:
I think I can't be in healthcare or in any kind of CSO role, but particularly in healthcare, and not be worried about the effects of those existential moments where ransomware hits your organization, or you're impacted by that type of security event. So those are the things that we really spend a lot of time on rehearsing, practicing, proofing, ensuring that we have our resiliency processes and procedures down, and doing the very best we can to get to that restorative state quicker than what most people have been. But it's, you can't not be in healthcare cybersecurity and not be concerned about, the news from, I think it was Lehigh Valley Health system where they had, they didn't pay the ransom they were trying to restore, and the threat actors threw a bunch of horrible images out on the dark web. They shouldn't say people you're dealing with having to understand that they're coming after hospitals' infrastructure. And while people are trying to be saved and trying to impact healthcare, there's a certain level, it's definitely they're bad people, bad actors, and we need to do more to stop them.
Ed Gaudet:
Yeah, not to mention we're dealing with bad actors and the attacks during the pandemic that's been thrown at us and our teams.
Greg Garneau:
That was insidious, that was insidious, that even literally during that October of '20, when we were alerted by the FBI and CIA about those active attacks that were planned, there's, to me that's an act of war. I think they should, what do I know, I think we should treat it as a terrorist act and then act accordingly against those threat actors, but there's a lot more nuance to it, I understand. But I think we as a country need to start taking stronger stands against that, and the president's cyber security strategy memo that came out this week, I think we'll talk about that in terms of taking the fight to the bad guys. But yeah, it's been a rough couple of years for us, right? And it's been high-stress, high-intensity alerts, and we talked about alert fatigue from the national level, but the impact it has on your teams having to spin up hitting that red button. Because there's a new emerging threat that we all have to be mindful of, it's definitely taken its toll.
Ed Gaudet:
Yeah, it certainly has not let up. And so, given all those pressures, what are you most proud of this past year, personally and professionally?
Greg Garneau:
The team, surrounded by amazing people, and I've said this before on a number of different occasions, if you, your job is much easier if you have really smart, talented, dedicated folks working around you and with you. I'm proud of the team that we've built over the last year and the solutions. Frankly, we had a lot of solutions that we implemented to help us meet the challenges of today, from the Typekit perspective, and the folks stepped up to help assist and make sure that our security objectives for '22 were met with all the things we needed to do. Personally, I was honored to be chosen to attend the FBI CISO Academy at Quantico last year in May. That was a very impactful event in my career, met some really amazing folks with the FBI cyber division and a number of CISOs throughout the different critical infrastructure verticals, and it was very impactful, and made a lot of nice friends there.
Ed Gaudet:
Our listeners would love to hear more about that, or some of the experiences that you found really interesting or insightful.
Greg Garneau:
I think more than anything, it was an area, an opportunity for you to talk to others, not necessarily in your field, but there were quite a few others in healthcare. There were a small number of folks from, I think there were about 20 of us, so it wasn't like a huge group of people. We had an opportunity to learn from the FBI, build relationships with the folks that we need to reach out to when boom happened, right? So as opposed to just some nameless individual or a phone number to call, we started to interface more with some of these great folks at the FBI and other federal agencies. That was good, as well as interfacing with your colleagues, others.
Ed Gaudet:
Excellent.
Greg Garneau:
And you go to Quantico, which was fun. I had to put my junior G-man badge on and pretend that was something for a week.
Ed Gaudet:
So do you get some badge you can put in your wallet?
Greg Garneau:
Yeah, they, I was asking. They're like, there's no way in heck we're giving you one. Now that, my kids were, my kids are convinced I was going to be fast-roping out of a helicopter, but I think that would have ended badly.
Ed Gaudet:
That's great, that's excellent. And I just want to echo and go back to your team because I'll tell you, you have an amazing team. My team has been working closely with them. I'm just really just honored and humbled by the strategic guidance and insight your team's been giving us on the product, on the workflows, and our listeners would love to understand more from your perspective on how you think about third-party risk and enterprise risk and how those things are colliding. And how do you think about transformation, the impact of that as you really transform your organization to take advantage of some of the new things?
Greg Garneau:
That's interesting. We've been doing, you know what I'll call, they used to call them security reviews, right, for about ten years. They weren't very mature, but when I took over, we started to do our very best. And by the way, I'm, this week, I'm starting my eighth year as CISO, which means I'm like a CISO dinosaur. I do have some gray in my beard.
Ed Gaudet:
Now, you're the one guy that's been there for years.
Greg Garneau:
Yeah, no, it's, the interesting thing is I believe so much in the mission of Marshall supporting rural healthcare and serving underserved populations that it's a great organization to work for, and I'm really proud of the people here. So we've had, it's been a journey, it's been transformational in terms of how we look at third-party risk, but we were doing it for, we've been doing it for a long time, and it was homegrown. Like a lot of folks, we built out your spreadsheets, and you build out your questionnaires, and what you're looking to do is ensure that the solutions that you're bringing into your organization don't introduce unnecessary risk that will ultimately impact patient safety or the health system, right? Because you're opening up gaps by introducing them. So we've spent a lot of time developing those questionnaires and trying to mature the process, working with our analysts in the care delivery side of the house, shared services side of the house, and getting them indoctrinated into that, and we've been doing a fairly good job. We did a very good job. But then we found Censinet, and I think, frankly, I know we've talked about this, and my team has it's a bit of a game changer for healthcare cyber in the sense I've been talking to colleagues the last few years saying, why can't we just have a vendor or someone put together a solution? Because we're all pretty much using the same tools by and large, why do I have to go through the same exercise that you have? Because you just bought a Fuji CRM, and we got the same Fuji CRM. Why can't we utilize some of that same information or make the process more streamlined? And what we've done over the last, I don't know, it's not been a year, eight months or so had a chance to transform how we do third-party risk assessments. And I think part of the problem with the risk assessment process, for us, from my lens, was you had this have a lot of folks spending a lot of time on it. So you had to have the analysts chasing down the vendor, you had to have security analysts spending a ton of time on ... use, and looking at these third-party risk assessments, and there was a lot of waste of time. And the ability for us to shorten that time, pull out a lot of the resources that are needed to make this work, and building an automation and a lot of those other neat little buzzwords that we all love to talk about, but it's true, and it's helped us meet our goals. Our goal is not to spend or to be an impediment for the business because of a security. I can't tell you how many times you've heard I've stuck in security. Yeah, it is, it was. But that's just a goal, was to say, how can we change that dynamic? How can we change the narrative and help meet the business needs without extending the time in which it was sitting in our teams, courts? And working with your folks, we've been able to do that, and very pleased with the outcomes.
Ed Gaudet:
Excellent, and when you think about other areas of risk in the organization, do you see opportunities to consolidate some of those silos that exist? You mentioned you're a research firm or you're doing research essentially. Are you also looking at bringing IRB assessments into that?
Greg Garneau:
Yes, we are, actually. I sit on the IRB board, and I have for the last six years, but we're also looking to use the IRB module and see how that can help us streamline the process that we use when reviewing those IRB submissions. We're not quite there yet. I know we've started doing some rudimentary look information gathering on how that's going to help us impact the process and introduce change, but we haven't really gone too deep into that. But we're using Censinet for, across all different platforms. So it's, from a SaaS review to a piece of medical device, a medical equipment to an enterprise system. All of that is now, as opposed to going through our old SharePoint sites on the Word docs and Excel at Excel spreadsheets, we're pushing that all through Censinet, and I think it's been very good up to now.
Ed Gaudet:
Excellent. I appreciate that, and again, appreciate you being an advisor to me and part of the customer advisory board because, again, your insights have been invaluable.
Greg Garneau:
Yeah, good group of people. And it's, there's, it's nice to see it's all one fight. And I say this all the time, right? It used to be a lot of security programs would be siloed, they wouldn't talk to each other in different organizations. But it's that one team, one fight, we're all suffering through some of the same pain points. And if we can help each other by helping you on the advisory board make the product better, which will ultimately make the process better and us safer, we're all for it.
Ed Gaudet:
Okay, excellent, excellent. Thank you, and again, thanks for all your support. We're going to switch gears a little bit. We're going to go, and our listeners always want to understand the person behind the role of protecting patient safety. So outside of healthcare.
Greg Garneau:
Or the lab.
Ed Gaudet:
What are you most passionate about? What would you be doing if you weren't doing this, Greg?
Greg Garneau:
That's a really great question. I love to fly fish, and I've been fly fishing for a number of years. When I fly, I did the fly fishing thing in faraway places as Tasmania, in the middle of the Central Highlands, Tasmania, so that was kind of fun.
Ed Gaudet:
Did you see a Tasmanian devil?
Greg Garneau:
I haven't seen, didn't see the devil, but we saw a bunch of wallabies and cool bats and all sorts of crazy things, but it was great. But I loved to fly fish, and here in Wisconsin, you know, lots of opportunities and out west to go out west a lot too. I really enjoy that. I enjoy being able to share that with my children and they're starting to enjoy that more. My wife is fond of saying that I'm out on the water, my workaday life, things get stressful, and you can get tense, but if I'm out on the water and even if my lines are tangled birds' nests, I'll just calmly just work through it and get it untangled and just be calm and peaceful out there, so I've enjoyed that. I also built my own bamboo fly rod.
Ed Gaudet:
Oh, cool.
Greg Garneau:
Yeah, I have a friend of mine who is one of the preeminent bamboo fly rod makers in the world, and he held classes to build your own fly rod. It was the hardest thing I've ever done. It's the most intricate, detailed thing I'd ever done, but I was super proud when it was completed, and it's an heirloom, and I fish it every so often and I'll pass it down to my kids. I'll let them fight over who gets it.
Ed Gaudet:
You make your own flies as well?
Greg Garneau:
Ed, I did, I have all the gear, and I started doing some of that and took some classes and I enjoyed that. Ultimately, just came to the conclusion it's a heck of a lot easier to go to the store and buy it.
Ed Gaudet:
Like everything else, right?
Greg Garneau:
I'm sure. I'm sure later in life when I retire, I'll spend a little bit more time building my own flies just because it's something interesting to do.
Ed Gaudet:
Imagine that connection with nature too, must also have this spiritual effect as well when you're out there.
Greg Garneau:
Yeah, it's the place where you can decompress. For me, the outdoors is good. I also have a farm, so riding around on my tractor doing farm things is always a lot of fun. Yeah, we do maple syrup and make our own maple syrup, and we have bees and we have cows and critters. I liken it to, like, Noah's Ark minus the water.
Ed Gaudet:
I like the bees. How much honey do you produce?
Greg Garneau:
We have two hives, so we get a fairly decent amount. It's not a ton, but it's enough just to keep us interested in, and frankly, just give them out to friends and family for Christmas.
Ed Gaudet:
We got to keep the bees alive.
Greg Garneau:
There you go.
Ed Gaudet:
If they're not, that's not good for us. I love this question and I know our listeners love it. What would you tell your 20-year-old self?
Greg Garneau:
Yeah, my 20-year-old self was definitely a bit of a knucklehead. I hadn't quite become a good student yet. I was far better at being a fraternity guy and knowing what the specials every night of the week at the local campus bars. But eventually, we sorted it all out, obviously, as we're here. I would say, enjoy, find joy in learning, not as an exercise and just getting to point A, point A, to point B, like something you have to do to get your degree. I learned that later in life, and so it was just starting to work on advanced degrees and other things because what we do here, we're constantly learning to enjoying that and continue to nurture your curiosity. Those are some of the things that I would tell my 20-year-old.
Ed Gaudet:
That's excellent. You know, you have to be, I think, a voracious reader and curious and always a student of learning is how I put it. Always being willing to be open to learning new things and be proactive about it, too. Because I think oftentimes, the pressures of the day can take over and we sometimes miss the forest through the trees.
Greg Garneau:
Yeah, absolutely. That's important. I tell all the folks on our teams that need to be very purposeful about disconnecting and going to the place where you find happiness.
Ed Gaudet:
Exactly. All right, so I would be remiss if I didn't ask you this last question since we are the Risk Never Sleeps podcast. What is the riskiest thing you've ever done?
Greg Garneau:
That's a great question. That's a really great question and I don't think I have a very cool answer. I think taking a fly and moving my family and a safe space when I was in Atlanta for 20 years. Coming up here, that was probably one of the riskiest things I've done, and thankfully it worked out great. I love it, and it was a fantastic move, but it could have been fraught with danger to move your leave your comfort zone. It basically, like Cortez, right? When you get to the new world, all that good stuff, you're hoping that it works out and it's a leap of faith, and thankfully, we've found this to be an incredible place to raise our family. And the Marshall Clinic health system is one of the greatest organizations to work for, so we've been blessed and lucky.
Ed Gaudet:
Any last comments for listeners? Any insight on cyber? Anything you'd like to share?
Greg Garneau:
I don't think I have anything unique to share other than to say we work hard every day to continue to save and serve, save lives, serve our patients, and it's important that we keep doing it and we evangelize why we have to do it to our leaders and make sure that you're really good at telling that story and sharing that narrative in order to make sure that you get funded and you get the staff you get, especially given today's ...
Ed Gaudet:
Thank you, Greg. Thank you for your time today and thank you for joining the podcast. And if you're on the frontlines protecting patient safety, remember to stay vigilant and diligent because Risk Never Sleeps.
Ed Gaudet:
Thanks for listening to Risk Never Sleeps. For the show notes, resources, and more information in how to transform the protection of patient safety, visit us at Censinet.com. That's C E N S I N E T.com. I'm your host, Ed Gaudet, and until next time, stay vigilant because Risk Never Sleeps.
Sonix has many features that you'd love including generate automated summaries powered by AI, transcribe multiple languages, secure transcription and file storage, powerful integrations and APIs, and easily transcribe your Zoom meetings. Try Sonix for free today.
