Download the "RNS_ Erik C Decker audio file directly.
RNS_ Erik C Decker: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Ed Gaudet:
Welcome to Risk Never Sleeps where we meet and get to know the people delivering patient care and protecting patient safety. I'm your host, Ed Gaudet.
Ed Gaudet:
Welcome to the Risk Never Sleeps podcast. I'm Ed Gaudet, I'm the host today and I am joined by my good friend Erik Decker. Hi, Erik.
Erik Decker:
Hey Ed, how are you doing?
Ed Gaudet:
Good, good. Erik is the C I S O, the CISO, at Intermountain Healthcare. Prior to Intermountain, he was the Chief Security and Privacy Officer at University of Chicago Medicine. He has over 25 years. 25 years, really? You're that old?
Erik Decker:
I see.
Ed Gaudet:
Of IT and security.
Erik Decker:
It's a ... in here.
Ed Gaudet:
You do, you certainly do. Of IT and security experience. He is the chair of the Health Sector Coordinating Council working group on cybersecurity and the co-chair of the 405D Task Group public-private partnership with Health and Human Services, and that group does a lot for cybersecurity in healthcare. so we're going to talk a little bit about that today. So without further ado, let's get started. You just got back from, where were you, Amsterdam?
Erik Decker:
I was all over the place, actually. I had a seven-day trip where I started in Chicago, went West, and circumvented the globe. so I know what that now feels like. In case you're ever wondering, flying across the world in seven days is pretty tiring. So if I sound a little sleepy or groggy, it's because I'm still recovering from it.
Ed Gaudet:
Well, that's what I'm here to do, I'm going to probe you a little bit and ...
Erik Decker:
Okay.
Ed Gaudet:
All right, let's start with the first question.
Erik Decker:
Sure.
Erik Decker:
How did you get into healthcare? How did you get into cyber?
Erik Decker:
So cyber, different questions, actually. So when I did my undergraduate degree in Cell and Structural Biology, actually, I don't know if you knew that or not. When I started off.
Ed Gaudet:
Citing Erik, that sounds like a party starter.
Erik Decker:
It is.
Ed Gaudet:
Yeah, absolutely.
Erik Decker:
When I was doing my undergrad, I was very interested in research, genetic research, immunology, those kinds of things, but it was also right around the dot-com era when, if you knew anything about computers, you were able to just go out to California and make a nice career out of it.
Ed Gaudet:
All you needed to do is be able to reboot and you could actually.
Erik Decker:
That's very true. So when I graduated.
Ed Gaudet:
... fortunately did reboot.
Erik Decker:
Yeah, so when I graduated college, I was always kind of doing the computer science stuff on the side and I started off doing that. So I came up in a very technical way, actually, started off in systems and network engineering, actually used to work for a local municipality. I'm from a town called Normal, Illinois, so I worked for the Town of Normal actually for about seven years, and that was right around the time when information security, information assurance, cybersecurity, now it's had a bunch of different names, when that profession was coming up, and it had always fascinated me. So I chose to pursue that as a full-time career in 2007, that's when I moved to Chicago, and started doing the hard science of cyber. So I was a practitioner for a long time, started in higher ed, and I kind of went on the cyber side, I started in higher education. And when my husband and I moved to New York is when I got into academic medicine, healthcare in general, and it was kind of academic medicine, higher ed, and the healthcare side, so both of them came together. And that was, I found a niche, somehow I seemed to understand this, I don't know, if anybody can understand this stuff, and became pretty proficient in it, so I've been doing that since then.
Ed Gaudet:
Yeah, so tell us about Intermountain. It's a very big system, tell us what keeps you up at night.
Erik Decker:
Yeah, so Intermountain, we are a seven-state integrated delivery network. What that means is we have a health plan as well as a delivery organization. So about a million members on the health plan, and just, where are we at 33 hospitals, I think on the healthcare delivery side and hundreds of clinics, hundreds of physicians, of course, we cover the Mountain West region, so Utah is our base. Salt Lake City is where we're headquartered, but we have a very substantial presence in Colorado, Idaho, Nevada, Montana, Kansas, and I think parts of Arizona as well, just like a little snippet in there. About 60,000 employees, we call our employees caregivers because we connect the entire mission of healthcare to everybody who works in Intermountain and about $14 Billion in revenue. So a substantial organization, great name, highly innovative company. We spin up all kinds of, we call them new codes, and new companies focused on particular problems that we're trying to solve, be it like we have a pharmacy called CivicRx that is right now focusing on developing a $30 insulin shot, not copay, but just straight up low-cost insulin for everybody with type two diabetes really, really focused in on as an organization on providing, caring for the whole person and providing quality care at a low cost. That's where we're we differentiate ourselves from the competitors.
Ed Gaudet:
And from a cybersecurity perspective, tell us a little bit about your team, your program, and what keeps your attention.
Erik Decker:
Yeah, so I have 150 people on the team, so it's a substantial team. The program has been around for a long time. My predecessor, Karl West, did a fantastic job at honestly taking this program and bring it forward a couple of generations. When I joined, two years ago, we focused heavily on a, we called it the Gen three plan or the Gen three update, so the third generation of the cyber program and secured some additional investments in our folks and our program and capabilities. When you think about what keeps you up at night and such. I mean, there's several things there, probably some themes from that we'll talk about later on. I think one thing that has become very paramount is cybersecurity is really connected to the resiliency of the organization. And we have seen how dramatic these cyber attacks and the disruptions of ransomware attacks and so forth can, like the damage that they can cause for patients and for the organization, that certainly is of concern. I also look at this from a public health perspective. So moving beyond just the organization itself, but also the region that multiple health systems might be able to connect into or even just at the national level. When you start thinking about the right of healthcare that patients have, being able to manage acute issues, emergency issues, trauma issues, etc. we are really all connected at the end of the day and in a large ecosystem here, and when one is hit that causes impacts on others that are around. There's a lot of conversation going on in DC about this right now and how we really have to do better, not only just from our own organizations and making sure that our organizations are secure, but looking at the whole sort of national system as well and making sure that we're building it in such a way that can be resilient. So I would say long answer to resiliency is what keeps me up at night.
Ed Gaudet:
It's a nice dovetail into the work you do with the HSCC and 405D. Any thoughts on things that you're working on that you want to share with us today?
Erik Decker:
Well, there's a lot of stuff. So first of all, I don't know if our listeners know what the HSCC means other than some acronyms, Maybe I can give you a quick overview of that. So the HSCC stands for the Health Sector Coordinating Council and within the Health Sector Coordinating Council, there are multiple working groups and one of them is the Cyber Working Group, And then within the working groups we have multiple task groups. So we have about 15 task groups underway right now within the Cyber Working Group. I actually serve in a capacity at all three of those levels. I'm the officer, an officer at the HsCC level. So this is all hazards, all, could be environmental, pandemic, terrorist, human-operated, cyber, all these different types of threats that we face in healthcare. This was established, This whole concept was established in presidential directive, I think this presidential directive before this, but presidential Directive 21 is the one that I know that really codified a lot of this. And ultimately what that directive said was that there's 16 critical infrastructure that have been identified that have some kind of public interest within these various industries. So some examples of the industries are transportation, oil and gas, finance, agriculture, healthcare, water, you know, these are all things that we rely on as a society, And in many cases within those industries, it's actually run by private organizations instead of by the federal government. And so knowing that there is a public interest on this critical infrastructure that is owned and operated by private industry, there has to be a partnership in place with the federal government in order to make sure that we're protecting the interests of our fellow man. That whole construct, the HSCC, and all of that was born from that presidential directive now codified into law under the National Defense Authorization Act from about a couple of years ago, was when I think Congress passed that, and we organize around that. Now, within the Cyber Working Group specifically, we have about 370 or 80 organizations that are members and very close to 800 people within that representing those organizations, we need more. When you think about just hospitals, there are 6000 hospitals in the United States, and that's only a slice of the representation of those 6000 hospitals. And this group covers all subsectors of healthcare, I mean, healthcare is a huge industry. It's a massive part of our gross domestic product. There are seven subsectors, so you've got pharma, you've got medical technology, you've got health plans, you've got lab, blood, hospitality, healthcare delivery, etc. So when you think about securing the whole healthcare system, you really have to make sure you have representation of the whole thing. That was a long precursor of what this group is. So we're really heavily focused on the security of the national health system, thinking about broken up into the various components of the private organizations. We do this in a couple of ways. So one way is we have task groups that we focus on very specific products that we want to build. So some examples of that are there's been a lot of work on medical technology recently. There's this thing called model contracts language, which is an example of commercial contracts and language with the commercial contracts that healthcare organizations can use with their medical device manufacturers. That has, you know, we had both the medical device manufacturers and the healthcare delivery organizations come together and come to an agreement about what are some of the contractual languages that we feel would be important. The FDA was involved, this is something released specifically by industry. That's an example. There's legacy devices within the medical technology. That was another one that was just produced. The 405D task group, which is the one that I co-lead in addition to being chair, that's focused on what are the five threats that the healthcare system faces and ten practices to mitigate those threats, and then we stratify that by small, medium and large-sized organizations, because not every organization is the same, not every organization has the same number of resources and capacity to be able to manage issues, and the threat profile is different if you're a small medical practice versus a large integrated delivery network. So we wrote a document, or actually several documents to sort of help the organizations along. It's all voluntary. This particular product was released in, beginning 2019, and it was joint released by Health and Human Services and the industry. So this is currently the only product that has been joint released by HHS. There's another one coming, which is the CSF implementation guide, so that should be hitting the floors here pretty soon, actually. We were hoping that was going to be released by end of last year, but it's still not they're still getting clearance through HHS. All right, I rambled a long time there.
Ed Gaudet:
That's great, no, listeners, if you don't know anything about the Health Sector Coordinating Council or haven't had a chance to go to the website and learn more, I highly recommend it. There's a lot of resources out there available. If you're in healthcare and you're in cybersecurity, even if you're not in healthcare, it's really interesting to view all the work that this group has done over the last five, six years or so. So kudos, Erik, great job, great work. Thank you for your service there. I certainly use those documents and they're very useful. All right, so this podcast really focuses on the people protecting patient safety. So the people behind the things that you do and the things that we do. And so we're going to turn this a little bit and we're going to, our listeners really love to hear about you as a person, as an individual. So I get a couple of personal questions here.
Erik Decker:
Okay, all right.
Ed Gaudet:
So outside of healthcare, outside of what you do every day, what are you passionate about? What would you be doing if you weren't doing your current job?
Erik Decker:
If I wasn't doing my current job, well, I'll say that my father is worried that I'm going to become a politician.
Ed Gaudet:
Excellent, I would vote for you.
Erik Decker:
He keeps telling me like, you're not allowed to run for office. I was like, I don't have, I couldn't run for office, it's fine.
Ed Gaudet:
That's why you could run for office.
Erik Decker:
I am a pretty passionate guy when it comes to cyber and these spaces, much to my husband's chagrin at times because I spend a lot of time on this. But outside of all of that, you know, I live here in Chicago, my husband and myself, we have a rescue bulldog pit mix, her name is Maggie, and she is the laziest dog in the entire world, which I absolutely love, we get along great. If the listeners can see behind me all the like, well, you could see eccentricities that are going on back there.
Ed Gaudet:
Your D&D, your Dungeons and Dragons.
Erik Decker:
Yeah, I know. I got all kinds.
Ed Gaudet:
I love it.
Erik Decker:
I got like Star Wars things. I've got swords on the wall, you know, I revel in my nerdom. I think there's no reason.
Ed Gaudet:
Yeah, in fact, I did something pretty cool recently, and the Star Wars. I share some of that.
Erik Decker:
So we, I took my family to the Star Wars hotel at Disney World in Orlando, and my two youngest nieces loved it to no end, the rest of my family tolerated it for probably a day. I, of course, was enjoying the heck out of it. If you ever get a chance to do it, it's expensive, but Disney does an amazing job of just curating their experiences, you know? And so it was over the top, it was pretty incredible. Other than that, I can be pretty lazy. I will be more than happy to just waste a day away if I can.
Ed Gaudet:
Oh, I subscribe to that. Especially when it snows out, we got like five inches over the last 48 hours here. What would you tell your 20-year-old self?
Erik Decker:
So that's an interesting question. When I was younger and I was living in Normal, there was a gentleman, a friend of mine, his name was Phil, and he was like the primo coder/hacker/, you know, not in a decent way, but just like he's so smart. And I remember thinking to myself, he was this is like, again, right around the time that information security was kind of coming up, and this guy, like, knew everything under the sun. And I just looked at what he was able to do and I was like, there's no way I can, I'm not smart enough to do this. I was interested in it, but I definitely didn't think that I was capable of doing it. And then I came across several people in my early career who saw potential in me, and they're the ones that honestly encouraged me to break out of my own limitations. So I think what I would tell my 20-year-old self is don't limit yourself, don't put artificial barriers in place because you're actually capable of so much. I think that human capacity is something that's incredible. And I never thought in my wildest dreams when I was younger that I'd be doing the things that I'm doing today. I still pinch myself every now and then, and I go, how did I get involved in this? How did I make it over to this? How am I the chair of this cyber working group? How we were at the White House last year. We were invited at the direction of the office National Cyber Director. And again, it was one of those moments where you're like, I have no idea how my path led me here.
Ed Gaudet:
Other than some exciting news today too. I saw PR Newswire, you've won a Malcom Baldrige Foundation Leadership Excellence Award. So tell us about that ...
Erik Decker:
Again, you know.
Ed Gaudet:
Yeah, that's really, that's amazing.
Erik Decker:
I don't know what to tell you about that, other than.
Ed Gaudet:
It's a big deal, it's a pretty big deal.
Erik Decker:
... we're going to be there on the fourth. A couple of folks are coming with me to accept it. You actually get a medal, they put a medal around you, which is something else. So, again, I don't know. I have a hard time talking about this stuff because I don't know how to talk about it without sounding like an egotistical so-and-so.
Ed Gaudet:
Okay, we'll move on from that, and I have even a tougher question, since you did so well with that last one. What's the riskiest thing you've ever done in your life?
Erik Decker:
Yeah, okay.
Ed Gaudet:
This is the Risk Never Sleeps podcast. Yeah, we're going to work ...
Erik Decker:
So I'm a pretty risk-averse kind of guy, just so you know.
Ed Gaudet:
I do know.
Erik Decker:
Except when it comes to Cheers, the bar in Boston.
Ed Gaudet:
That's right, you let your hair down there.
Erik Decker:
Yeah, well, the day Christy Allie dies is a day of mourning.
Ed Gaudet:
A sad day, it was a sad day.
Erik Decker:
So the story that I have here is one that I don't think I really realized how risky it was until much, much later. So I used to scuba dive when I was younger, and one of the spots we would go to is Cozumel, and in Cozumel there's a trench that runs on the eastern, northern-eastern side. It used to be able to do dives down on that trench. It was like the rockiest part of the diving that's in Cozumel because it's kind of like, you're coming up to open sea. You're right up against the Gulf of Mexico. There's all kinds of current that runs through there, and then you have this massive trench that you go down. And so I remember I did this dive several times where you jump out of the boat, you go down and you go down to the bottom of the sea floor. You put your arms out and you're just like literally flying through, along the ground because the current is that strong. And then you come up to this trench that is a sheer cliff that goes straight down for 1000 feet. Yeah, one of the biggest trenches that's in the Atlantic is like right there. So this is the deep dive, so you go and do like 130 feet for only a few minutes. And so you go down a little bit and you're kind of, you're skimming the side of this trench and you see the fish life and everything that's there, and then you go up. Well, I found out later on they shut that dive down because so many people died while doing it, and I didn't know that until like years later. And so you can't do that dive anymore, but I still have this visceral kind of memory of what that was like, so there you go.
Ed Gaudet:
Why were people dying? Do you know?
Erik Decker:
Because it's dangerous, because you're down too far. It's very easy to go farther than the recreational dive limit, you get the bends, you can get all kinds of stuff that happened to you. So it's a, nitrogen absorption is a big deal in diving. You can't get too saturated otherwise you get problems.
Ed Gaudet:
Holy cow. Well, that is.
Erik Decker:
There you go.
Ed Gaudet:
Yeah, there you go. That is the bar now.
Erik Decker:
But I will not jump out of a plane, I will not jump on a bungee jump. Those things are, That's too much.
Ed Gaudet:
I spoke to someone a couple of weeks ago, They were in New Zealand and they're just coming off of a bungee jump. Well, I'm like.
Erik Decker:
Man.
Ed Gaudet:
I can't. I'd lose a hip or something, I'm sure. All right, well, Erik, thanks very much for your time today, really appreciate it. And thanks, everyone, for listening. This is Ed Gaudet with the Risk Never Sleeps podcast. If you are on the front lines of healthcare, protecting patients and care delivery from cyber attacks, we salute you, and remember to stay vigilant because Risk Never Sleeps.
Ed Gaudet:
Thanks for listening to Risk Never Sleeps. For the show notes, resources, and more information in how to transform the protection of patient safety, visit us at Censinet.com. That's C E N S I N E T .com. I'm your host, Ed Gaudet, and until next time, stay vigilant because Risk Never Sleeps.
Sonix has many features that you'd love including automated subtitles, powerful integrations and APIs, upload many different filetypes, enterprise-grade admin tools, and easily transcribe your Zoom meetings. Try Sonix for free today.
