Download the "RNS_ Drex DeFord audio file directly.
RNS_ Drex DeFord: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Ed Gaudet:
Welcome to Risk Never Sleeps, where we meet and get to know the people delivering patient care and protecting patient safety. I'm your host, Ed Gaudet.
Ed Gaudet:
All right. Welcome to the Risk Never Sleeps podcast. I'm Ed Gaudet and I'll be the host today. And I'm joined by Drex DeFord, Executive Healthcare Strategist, aka Cyber Guy, at CrowdStrike. Drex, welcome.
Drex DeFord:
It's good to see you again. It was nice to finally cross paths in person. We've known each other, I think, for a while by reputation and crossed paths in person in Boston at the HEM cyber event, which was ....
Ed Gaudet:
Yeah. It was a lot of fun and nobody got hurt.
Drex DeFord:
Nobody got hurt, nobody, it's true, a very important part of the, crossing paths.
Ed Gaudet:
That's right, that's right. All right, well, we're going to get into it. This podcast is designed to really get to know you, Drex.
Drex DeFord:
Okay.
Ed Gaudet:
The person behind the protection, if you will. First, let's start with your background. How did you get into healthcare and how did you get into cyber?
Drex DeFord:
Yeah, how did I get into healthcare? Well, I'm a farm kid from Indiana. I didn't have money to go to college, so I joined the Air Force. I enlisted in the Air Force and I went to school at night and finished my degree, and the Air Force offered me a commission as a medical service corps officer or a hospital administrator. And since my, prior to enlisted time, was in information technology, I became the hospital administrator guy who knew something about technology, and that was before there were CIOs or any titles or jobs like that. And so I went from a small hospital to the Air Force School of Healthcare Sciences. At that point, I was the deputy CIO at the Air Force School of Healthcare Sciences, and then I went to the University of Alabama-Birmingham, and at the time there was really only a couple of health informatics programs in the country. I got a health informatics master's, and then I ran one of our regions with 14 hospitals across the southern US and then one of our big medical centers as a CIO, and then I was chief technology officer for Air Force Health worldwide operations in DC, retired from the Air Force, and wound up as the CIO at Scripps and then Seattle Children's and then Steward Health Care. The security part of this all sort of happened accidentally. Throughout all of that, there was always some responsibility for security as the CIO. After leaving Steward and moving into an independent consulting kind of role, I worked with vendors and PE and VC firms and startups and health systems and others, but I wound up sort of accidentally being asked to help cybersecurity companies with their sort of strategies and marketing and other stuff along the way, and one of those was CrowdStrike. They were a client of mine, as John Kirkman, the vice president of healthcare at CrowdStrike, stood up the healthcare vertical. And then fast forward a few years later and John and the team asked me if I would join and I never thought I would be an employee again. But I came back here, I came to CrowdStrike. That's been almost two years now, and that's kind of the accidental story of how you make your way into cybersecurity without really trying.
Ed Gaudet:
What a journey, very similar path I took as well. I put myself through school on a Raazi scholarship and was first really introduced to security in the field of Artillery. I was on a nuke battalion and so cryptography was a big part of the communications. And so that's sort of how I made my first foray into cyber.
Drex DeFord:
That's interesting. So you were in the Army?
Ed Gaudet:
I was.
Drex DeFord:
So I took the Army Expert Field medical badge test. I was only about a dozen Air Force guys who wore the Army BFMD, but I did it at Fort Sill at the Field Artillery School.
Ed Gaudet:
Yeah, in Oklahoma.
Drex DeFord:
Yeah, for sure.
Ed Gaudet:
That's a great, great place to visit.
Drex DeFord:
For sure!
Ed Gaudet:
Not many restaurants.
Drex DeFord:
No, no.
Ed Gaudet:
But you probably could spell VAX, VMs based on your.
Drex DeFord:
Oh, yeah, for sure. No, those machines are, you know, I was a beta tester for the Mosaic browser back in the day. I wish I would have been smart enough to buy cars.com and, all those really easy dot-com domains when nobody knew what they were, but I wasn't smart enough to do that, so.
Ed Gaudet:
Well, that's something you probably would want to tell your 20-year-old self.
Drex DeFord:
If I was going to go back and tell my 20-year-old self something, it would be, this Internet thing is really going to be a big deal, you need to get on it.
Ed Gaudet:
Yeah, or at least by Microsoft.
Drex DeFord:
I'd really lean into it.
Ed Gaudet:
Please buy Microsoft.
Drex DeFord:
Or something.
Ed Gaudet:
Exactly. So big role, obviously at CrowdStrike helping providers, our healthcare infrastructure, think through their cybersecurity strategies and implement tools and technologies, and processes. What keeps you up at night?
Drex DeFord:
You know, I don't know that this necessarily keeps me up at night, but it's one of the things that I do think about a lot and worry about a lot, and that is the critical infrastructure that is not only healthcare, but a lot of small municipalities and water treatment plants and the real critical infrastructure stuff that in a lot of ways really struggles doing good cybersecurity and keeping systems patched and updated and all the things you need to do to be able to run a good cybersecurity program. And so I think when the worst case scenario, if the toilets don't flush and the emergency departments are closed down and somebody turns off the stoplights in the city, pretty much nothing else will matter, right? We're all going to be concerned about all those other things. And so it's the really simple, basic things like that, critical infrastructure. If we can't get critical infrastructure right, we won't be able to do all the other things that we aspire to as a city, a business and economy, as a country, whatever the case may be. So it's the fundamentals, it's a lot about the fundamentals.
Ed Gaudet:
Yeah, that's a great point. It extends into the rural health as well.
Drex DeFord:
Sure, that is small and mid-sized businesses, small and mid-sized healthcare organizations.
Ed Gaudet:
Exactly, so it's probably the weakest link in the healthcare chain when you think about ....
Drex DeFord:
It really covers more patients and families than most people consider. I mean, big health systems get the headlines because they're spending money to do a lot of cool, innovative things. But I'll tell you, I've spent time with small healthcare systems, so have you, where you have conversations with them and they are super psyched that they're going to get their third person in the IT department. That's not really a great recipe for overall success, which means I think we also see a lot of consolidation that's happening now. It's going to continue to happen and I don't know if that's good for healthcare for the country or not, as long as those services and capabilities continue to be there, but I think sometimes the consolidation drives a lot more business decisions and closures in places where now my nurse emergency department is 150 miles away, and that's not good for folks in small-town America.
Ed Gaudet:
That's right. We've got to think about a way to get them the resources they need and have that level of protection that's required.
Drex DeFord:
Yeah, not to turn this around on you, but you wrote a great article in Forbes, the Forbes Council blog, just a couple of weeks ago, with the idea of meaningful protection, right, and is there a way to sort of create a program that ultimately incentivize healthcare organizations to build good cybersecurity programs, but in the structure of if you do that, you will be properly incentivized or paid to have a good cybersecurity program. I mean, unfortunately, and I just was watching something with George Kurtz, our CEO, and Jen Easterly at CES, and Jen was talking about how a lot of critical infrastructure, a lot of infrastructure actually in the country is built on unsecure software, unsecure hardware. You know, like things come off the assembly line and out into the world and they're not secure systems. And in some cases they just goes and goes and goes. Lots of patches, lots of upgrades, lots of critical things that you have to do to try to make them secure. But once they're off the assembly line, the manufacturer sort of washes their hands of it and it's up to the organization then to secure them. That's a real challenge for us.
Ed Gaudet:
Yeah, we're going to patch our way out of this problem.
Drex DeFord:
I think that, and I think Jen referred to it as cyber safety, and if we're going to do this in a sustainable way, we do have to get to a place where the manufacturers of medical equipment and IOT, OT, software operating systems, they have to build things that are secure out of the box. And if we can get there, we can actually build a more sustainable cyberculture, but in the meantime, a lot of us are struggling. And I think in the smaller places like rural places, they are double struggling, right?
Ed Gaudet:
Well, I think the MDM is the medical device manufacturers fall back on the FDA regs. And so there's this reconciliation of what FDA says to what actually has to be done to provide that the visibility and telemetry that we need, because it's not a matter of if, it's a matter of when, and it's really how prepared you are to recover from an attack.
Drex DeFord:
Yeah, I mean, the idea behind, we talk about IR as being incident response, but culturally I think if we're going to do, I sort of refer to this all the time, cybersecurity transformation, getting out of the old model of cybersecurity and into the new model of cybersecurity, that we have to think about IR not only as incident response, but also as intentional resilience, right? You have to build programs, and because everything is connected to everything else, we have to build programs and infrastructure modernization and regular update, we have to do application consolidation, we have to do all the things that make the environment as simple and as resilient as possible. If you do that, it's easier to run, it's easier to maintain that time, it's easier to secure, and you build a platform upon which you can do more digital health kinds of things more easily. So it's that resilience part of this that is critical ....
Ed Gaudet:
... Pushing automation and the combination of automation, the right resources, the right people, obviously the right level of training and education and support that those folks need, and also the right processes. And I'm always surprised that customers that want to implement a certain level of technology or type of technology but aren't willing to change their process, and it's all I always say that it doesn't matter what tool you purchase. If you throw a great tool at a bad process, you're going to end up with bad results.
Drex DeFord:
I used to talk about this with my team as, if you have a process that is a train wreck and you implement technology on top of it, You have created a very fast and efficient train wreck. So that is not what we want to do as CIOs or as tech or as CEOs or as technology people, that is not the kind of thing we're trying to build. And so a lot of this is the intentional resilience, building simple systems, doing work all the time. I'm a Toyota production systems guy, too. So building systems and processes that are as simple as we can make them. And when you've done that, you understand where your roadblock or where your log jam really is, and so you can make a really easy, good decision about the thing you need to automate to help make this faster, and that will then are better or cheaper or whatever the case may be. So you're buying the things you really need, not just buying something and then saying we have to redesign everything now because we've bought this new electronic health record and a lot of us have gone through that process over the last several years.
Ed Gaudet:
That's right. All right, let's switch topics here. What are you most proud of last year, either personally or professionally?
Drex DeFord:
Most proud of last year. My daughter had my first grandchild.
Ed Gaudet:
Congratulations, that's amazing.
Drex DeFord:
And thank you, so I would say personally, it's probably that. I've been asked in the past, what's the best thing you have ever done? And I would say that was my daughter. But this year, my grandchild definitely trumps that.
Ed Gaudet:
So tell me about your grandchild. How old?
Drex DeFord:
Oh, yeah. So she was born in February and it was Coraly Brave, and then, her parents last name, but Brave is a middle name was not, it didn't come from me, but I love it. I think she's my brave, brave girl, and that's one of the best middle names I think I've ever heard of. But she's a great kid and she's just started walking. She was down for Christmas, and so she's walking kind of early.
Ed Gaudet:
Yeah.
Drex DeFord:
For a lot of kids. And so I'm ready to get her some track shoes and, you know, like, let's get her out there and kind of see.
Ed Gaudet:
You're doting. You're a doting grandfather.
Drex DeFord:
Yeah! Sure, awesome!
Ed Gaudet:
My wife and I talk about that, too, because we're going to be entering that part of our life soon. So I'm looking forward to that. We have ...
Drex DeFord:
That's great.
Ed Gaudet:
Dogs of the surrogate, so ...
Drex DeFord:
I have a dog and my dog's name is Jackpot. And he's snoozing over here right now. But definitely, I've always loved dogs and I've lived in like condos where I know all the dogs' names, but I don't actually know all the people's names who own the dogs. And so I've always wanted a dog. And literally probably five years ago, four years ago, I got my first dog and now we're kind of inseparable.
Ed Gaudet:
So what type of dog?
Drex DeFord:
So we get that. So it's an interesting DNA test that he's a pitbull and shitsu. I don't know if you've ever seen Dumb and Dumber. So going say this, you can bleed me if you need to, but so he's a bull-shit and he's a great little dog. He's like a little 30-pound pocket pit bull-looking kind of dog. Doesn't look like a shitsu at all. But he's a really good boy, and I totally, I'm with you in that those can become your children, I have that same relationship with my dog.
Ed Gaudet:
We have a mini schnauzer, Grayson, and great dogs. Our second one and our girls have brought three more dogs into the family so.
Drex DeFord:
Many schnauzers are so smart, too.
Ed Gaudet:
Oh, they're so smart.
Drex DeFord:
And oh, man, he's my neighbor had one. And like, he had a trained within an inch of his life, and that dog was just brilliant.
Ed Gaudet:
So we're adding the dogs now and then I'm sure the kids will come soon. So we'll just, we'll be patient. Outside, outside of healthcare and dogs and cyber. What are you passionate about? Where else do you spend your time?
Drex DeFord:
Sure. I mean, I live in the Pacific Northwest. I live in Seattle. So part of the reason that I live here and I mean, I've lived all over the world, so the opportunity to kind of pick a place that I wanted to work, you know, I left San Diego to come to Seattle and go to work at Seattle Children's because I loved Seattle. And when I moved to Boston to be the CIO at Stewart, I realized pretty quickly that the thing that people talked about, which was homesickness, that was actually a real thing. I always thought it was just a thing people said. So when I had the chance to move back to Seattle, I moved back and part of the reason I live here is just all the hiking, all of the outdoor activity stuff, snowshoeing this time of year. I'm not a skier, but my wife is a skier, and so, and Jackpot loves doing that stuff, too. So we spend a lot of time on the trail or Fire Road or other places outside doing stuff, even in the rain, when it's raining.
Ed Gaudet:
The rain, terrific. Yeah, that's good. So we have a dog in the background. I don't know if you can hear him, another dog. So we talked a little bit about. This already. What would you tell your 20-year-old self or 30-year-old self, maybe about cyber, maybe about IT, something you learned along the way that you wish you had learned sooner?
Drex DeFord:
You know, I think it took me, a lot of this is the, I think just the maturing of the industry over time. And in the beginning, we bought things and put them together and then made them last as long as we could, and then we bought replacement bleeding edge, whatever end-user devices, network components, whatever, and then we made those last as long as we could. And one of the programs that I built in the Air Force was really sort of taking all that money back away from the facilities and building a program that was a coordinated standardized modernization effort where everything didn't have to be bleeding edge, but it had to be relatively modern and it all had to be standard, and then you could plan the replacement cycles for that. And that sounds like such a duh, like, of course, everybody does that. But there was a period of time early in our information technology days, I hate to admit maybe how old I am, but it was a time where that wasn't a thing. Nobody knew to do that, they didn't understand that was a process we should take on. So I guess from an IT perspective, if I would go back and see my 20-year-old self, I'd probably say there's this idea that you really should grasp onto more quickly than you did, but yeah.
Ed Gaudet:
That's great. All right, so the name of this podcast is Risk Never Sleeps, and really it's the personification of risk in healthcare. Risk doesn't check out at the end of the day, risk is risk 24/7, right? I like to say greets us in the morning and it greets us on the,
Drex DeFord:
.... at night.
Ed Gaudet:
That's right, it tucks us into bed, right. So what's the riskiest thing you have ever done?
Drex DeFord:
So 20 years in the Air Force, I was a CIO at a lot of places, but there were also a couple of sideline departures from that. I was deployed to Desert Shield, Desert Storm and ran an air transportable hospital there and actually spent a lot of time kind of on the circuit from Oman to Qatar to Egypt to probably lots of other places I mostly wasn't supposed to be. There were some really risky situations that I ran across there, but ultimately everything came out fine, shot at and missed, but no holes, so that's a good thing. That feels like a lot of risk. And then I think personally, again, hiking. I'm mostly a hiker now, but I was a climber for a while and there were definitely times where I fell on climbs and could have come out bad, but because you do all the things that you do to try to prepare yourself to be comfortable with that risk and not panic when the time comes that something bad happens.
Ed Gaudet:
And recover quickly.
Drex DeFord:
Ultimately, right. Nothing bad happened and we were able to get right back on the climb again.
Ed Gaudet:
That's great.
Drex DeFord:
The other thing I would say is that taking risk, maybe this is something I would tell my 20-year-old self to do, right? Go ahead and take the risk. Like, take risks. Now be prepared, but take the risks, because the more risks that you take and the more sort of dangerous things that you do, and that doesn't have to be like physically putting yourself in peril, but just business and life. The more things that you do, the more perspective that you have. And so when things are going bad, like for me now, somebody complimented me the other day, we were in a particular situation. Things were not going particularly well, and the person looked at me and said, well, you're awfully calm. And I think it's because perspective, right? You've been in situations where things have really been really bad, that's not this. And so you have some perspective which can allow you to take a breath and think through situations and not panic. So risk is good if you manage it properly.
Ed Gaudet:
Yeah, I like to think that there's proactive or active risk-taking and then there's passive risk-taking, and the act of not actively taking a risk is actually taking a risk at some level. And I think also the military prepares you to manage those risks that otherwise you, it might actually affect your ability to think purposefully about how to address it in a thoughtful way versus reactive way.
Drex DeFord:
For sure. I mean, how much time did you spend when you were in the Army doing exercises? All the time.
Ed Gaudet:
Yeah, some of the time.
Drex DeFord:
And a lot of that was kind of built on this idea. I mean, we're just trying to figure out every possible bad thing that could possibly happen, right? Then how are you going to work through that so that when you went to the field and you were actually getting shot at or other things are happening to you, like you can just say to yourself, like, we've done this, I've been here before, I know what to do, I'm not going to panic. And I think for cybersecurity pros, a lot of this is the same thing, especially like for incident response, incident response exercises and tabletops and more full-blown incident response exercises, doing those kinds of things over and over, business continuity planning, those are all the kinds of things that put you in a position to be ready when the bad thing happens. You're not like, oh, this is the first time I've ever thought about this. Don't be that guy. Don't be that person.
Ed Gaudet:
It's that Mike Tyson adage, right? Everyone has a plan until they get punched in the face.
Drex DeFord:
Yeah, for sure.
Ed Gaudet:
It's good to get punched in the face a couple of times to realize, okay, I can handle this and.
Drex DeFord:
Yeah, yeah, right, right.
Ed Gaudet:
All right, so we're coming up to the end here. I do want to ask you a question about your love for music. I think you said you were a DJ in a past life when you were younger, much younger.
Drex DeFord:
Back in my, very much back in my younger ....
Ed Gaudet:
Before Motown started, I'm sure that, way back then.
Drex DeFord:
I don't know. I don't think it's that far, but I don't think there was a huge amount of rock and roll to choose from. You know, probably this would have been in the early eighties.
Ed Gaudet:
I want to ask you the desert island question, but I will ask you if you have your choice to listen to music. What are you listening to?
Drex DeFord:
Oh, man. I mean, I'm really all over the place. I'm probably not a country music person. I'm much more into rock and roll. I think we've talked a little bit about Van Halen and Rush, that whole sort of era of rock and roll groups. I probably listen to that more than anything else. But I'll tell you, there's something really interesting to me now about EDM music and computerized music and the way that you watch DJs and you can see a lot of this stuff now because we have social media, you can see how some of this stuff is actually created. The creative process behind that is pretty ingenious, the way that they sample other songs and turn those songs into brand-new things. It's a, I find that part of the creative process to be fascinating.
Ed Gaudet:
So the blending of the different genres in real-time.
Drex DeFord:
Yeah, and one of our mutual friends, Dennis Egan, talks about how everything is a remix and it really doesn't matter. Like anybody who comes up with a new idea and thinks it's a new idea, the fact is it's probably some spin-off of something that's already been here. And so everything is a remix and it often rhymes and that's good stuff and bad stuff.
Ed Gaudet:
That's right, yeah, and it's only going to get worse with ChatGPT.
Drex DeFord:
That's amazing, and the other thing that I think I've played around with it a little bit, and the more that I play with it, the more that I read about it and ultimately where it may be going, the more I also realize that everything that I'm putting into chatGPT to ask questions about, it's probably being documented and attributed to me so that chatGPT knows more about me than I forgotten that I've asked those questions exactly and is continuing to build a profile on me.
Ed Gaudet:
So we all make it smarter too.
Drex DeFord:
Well, yeah, it's like free contributions to the AI learning process, right?
Ed Gaudet:
Absolutely. Yeah, all right, well, very good, well, thank you, Drex, for your time. Hopefully, you enjoyed the podcast.
Drex DeFord:
Yeah, good time. Thanks, it's always good to talk to you, too.
Ed Gaudet:
Likewise.
Drex DeFord:
Oh, you guys do great work. I know that you put your shoulder against it. I would just say thanks. This is a hard job for cybersecurity pros kind of across the board, whether you're in a healthcare organization or you're supporting them, that we usually look to the government to provide the Army or the Navy or the Air Force or whatever to fight the bad guys, but in this case, the front-line fighters are the cyber pros who are in those organizations. So thanks for doing that. And to all the folks who are listening, thanks for doing that.
Ed Gaudet:
And thank you for your service as well. You're on the front lines as well. Ok, Thank you, Drex, for joining us today. I really appreciate it. And obviously, I appreciate everything you do. This is Ed Gaudet from the Risk Never Sleeps Podcast. Thank you for joining us today. And remember everybody on the frontlines of cyber, stay vigilant because Risk Never Sleeps.
Ed Gaudet:
Thanks for listening to Risk Never Sleeps. For the show notes, resources, and more information in how to transform the protection of patient safety, visit us at Censinet.com. That's C E N S I N E T.com. I'm your host, Ed Gaudet, and until next time, stay vigilant because Risk Never Sleeps.
Sonix has many features that you'd love including transcribe multiple languages, powerful integrations and APIs, share transcripts, generate automated summaries powered by AI, and easily transcribe your Zoom meetings. Try Sonix for free today.
