Download the "RNS_Karen McMillen audio file directly.
RNS_Karen McMillen: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Ed Gaudet:
Welcome to Risk Never Sleeps, where we meet and get to know the people delivering patient care and protecting patient safety. I'm your host, Ed Gaudet.
Ed Gaudet:
Welcome to the Risk Never Sleeps podcast, in which we discuss the people that are protecting patient care. I'm Ed Gaudet, the host of our program, and I'm pleased to be joined by Karen McMillen, senior risk analyst at Asante. Good afternoon, Karen. How are you today?
Karen McMillen:
I'm great, thank you, Ed.
Ed Gaudet:
Excellent, excellent. So tell our listeners a little bit about Asante.
Karen McMillen:
Well, Asante is a three-hospital, multiple practitioner practice and healthcare provider organization in Southern Oregon. We have a medical center in Medford and handle most of Northern California rural areas, and as well as southern Oregon. We're really the biggest provider in the area and growing continually.
Ed Gaudet:
Okay, excellent. How did you get into healthcare and specifically IT and cyber risk?
Karen McMillen:
It's an interesting story. I started out as a lit major at UC Davis a long time ago, yeah.
Ed Gaudet:
We have a lot to talk about. I'm a lit major.
Karen McMillen:
Okay, me too. And you know, it's funny. People don't think much about that. They go, you should be an MBA if you're in business, but it's really quite the opposite. I think the ability to write and analyze is really helpful. And I found that my skill set has been really invaluable, and I've filled a niche. So when I was at UC Davis, we were in the United States, healthcare becomes a big issue. So I was offered a job at the AT&T phone company right when divestiture was starting. And most people that are listening probably don't know what divestiture is, you can look it up, but it has to do with the quote-unquote ... company. So I was brought in there, in a service rep, so I can get my ..., and I was quickly promoted into the Silicon Valley in 1985 to be on the major and national accounts for ACMC. So that wasn't healthcare, but that's how I started IT, and they train you very well. What was interesting about that is that was like the Florence of the Information Age renaissance. I Had AMD, .., and account, AT&T was threatening to compete with IBM, so I learned a lot about IT. I learned a lot about technology and the environment, and I have been there for many years. And then IT, you know, five, ten years, and then I took eight years off to be a full-time mother. I made that decision, I never regretted it. When I went back, I was hired immediately back by AT&T, and when I was there, I saw a job ad, this is like in 1996, for the corporate Information Security Department. And I thought the most intriguing, and I was up for promotion, and I actually took a downgrade to get into this organization because I'd been interested in Netscape and seeing what's going on with the information age, and I thought, this is really going to be interesting. How are we going to secure information on the Internet? So I took the job, in fact, I had to bargain because I was overqualified, and I came in as a support staff handling the budget, and I made a deal. I said, look, if I do a good job, can I get the team learning security? And so I did. And within two years, I was the regional manager of the telephony in Nevada, worked for AT&T, just had a wonderful time, and eventually, I was hired in as a, took a job with Providence Health and Services, which I bubbled up from an analyst to a regional information security officer for about three years. And so I had a leadership role there, two states, and then I decided I really enjoyed the Edelson job better, and I've been doing that ever since. I did ... Consulting for about six months, but the travel was too much. My husband had worked for Asante and even the state of Oregon, so I got into healthcare kind of because it sounded interesting, but I've heard people say, once you're in healthcare IT, you'll never leave.
Ed Gaudet:
What do you love most about IT?
Karen McMillen:
IT or healthcare IT?
Ed Gaudet:
Healthcare IT.
Karen McMillen:
Healthcare IT, I think one of the things I wish I'd done more of is give back, help people. Like my father was a physician, my sister and brother are artists, are doing a lot of giving back. And so with healthcare IT, I have ability to connect to my work with energy-saving data anymore, but starting to reach towards securing patients, and I think that was the most interesting thing. And I'm analytic enough, I mean, don't make me ..., analytic enough to enjoy the complexity of healthcare IT. It is just fascinating, and it's changing so fast.
Ed Gaudet:
Yeah, I found the same thing when I got into healthcare for the first time. That shared mission that you have with customers is unlike any other industry. We're all patients, or we know patients, or so it truly is a shared mission.
Karen McMillen:
It's kind of a clique, I mean, I think there's a lot of specificity to the things that we do in there. They're good people. I like all the people that I've worked with in healthcare, and I like mixing up the doctors. I like going out in the soil and seeing how these medical devices work, and I have that feeling I'd like to know more to be able to be of use.
Ed Gaudet:
So what keeps you up at night?
Karen McMillen:
Well, in the larger sense, just the inequality that's going on in the world and in our country, and socially in healthcare. You know, I see a lot of folks really can't get the healthcare they need, so there's that, and that just keeps me up at night. But I think to my professional standpoint, I think the risk is changing. I think that before, it was more product-specific and company-specific, but I'm seeing now as more systemic. And if I have a medical device, it's connected to cloud, might also be connected to the person, the personal area network they're calling it now. And so I'm dealing that we don't quite have a hold yet completely on the systemic view of risk management, that you might have multiple vendors, multiple devices, multiple methodologies. So I'm just trying to get my arms around that and understanding all these new sensing technologies that are coming in, and I'm not sure that we have them yet. It's like history is not a circle, and it's not a straight line. It seems a little like a spiral, right? I've been there before. I've been where vendors didn't have to know about security, and now here I am again with, the IoT vendors, with the same reluctance to increase security in their product design that we had in computers back in the 80s and 90s.
Ed Gaudet:
Yeah, no, it's so true. In fact, I'm hearing this phrase again, secure by design, which is, Microsoft kicked that off 20 years ago, and now I'm hearing it again, and ...
Karen McMillen:
Feels like, I've been here before, you know, I can reach back into my bag of tricks. Okay, now, how did we work with the vendor before?
Ed Gaudet:
Exactly.
Karen McMillen:
It's like a combined ... of, you know, legislation and vendors and customers working together on that.
Ed Gaudet:
Well, and that changing complexity and attack surface really makes it obviously interesting. It keeps you on your toes, I suspect. What have you seen from a personnel perspective, workforce perspective, in terms of folks' ability to really understand cyber and bake it into their day-to-day job and operations? Do you feel like we're at a point where folks really understand cyber, and they get it, and they're really they're doing the training that you're asking them to do, or they're being a lot more vigilant about clicking on that link than they were, say, five, ten years ago?
Karen McMillen:
That's a great question, and I think it all comes down to people. One of my job roles is, I call it human cyber training, and the education and writing newsletters, and getting out and presenting. To be honest with you, I'm not seeing a whole lot of difference. I'm seeing some because they're reading it in the paper, but I think it's almost like, what do they call them? A clinical environment alert fatigue. There's almost a little bit of that going on, but I think we really need to do is more executive education. I think as we need more digital natives into executive roles that are built, that I think that there's still a reluctance to really think about it and apply it. That being said, there is also some improvements. For example, when we had our mock phishing exercises, I did a lot of commentary back, and a lot of thank you, because, you know, I've been able to apply this to my home life as well and try to give them a little why about when we're asking them to do something. You know, this is why I'm holding up your contracts signing, this is what can be happening. I think as cyber professionals, we just have to give them why? It's like taking your shoes off at the airport. Yeah, you're not going to likely be a shoe bomber, but, you know, we have to make inconvenience and security level absolute.
Ed Gaudet:
It's so true. I was just talking to someone before this call about getting to the why, and it's so critical. And oftentimes, it's overlooked because people want to get into maybe the technology specifics, or, but really understand that why is so critical to solving the problem if you don't understand the why, you can solve any problem, right? It could be the wrong problem.
Karen McMillen:
It's so complex now, I think it's intimidating. It's intimidating for people to really understand what can happen, and right now, the news is, you know, you can clone people's voices, and so social engineering just took a whole new leap. How do we train our employees about phone calls or, you know, there's phishing, which I guess is the phone call? You know, we really have to continually do this, and we have to find more and more creative ways to it. You know, I put a cyber quiz out for employee awareness and make it kind of fun. Like, who knows what Stuxnet is? You know, I think a lot of people that found it very interesting trying to you know, it's an interesting, almost a sexy business, and there's interesting things that are happening in security, it's fascinating, and if you kind of take them along with stories and the wise, it helps.
Ed Gaudet:
Well, and everyone loves The Godfather. Everyone loves to watch crime shows, right? And this is organized crime at its best, right? And I think what's happening now is the healthcare industry is getting that, and we're all now starting to band together and work together and build that community of leverage like the bad folks have, right?
Karen McMillen:
Yeah, saying it's not getting better. It is, but I guess maybe I'm thinking it's almost like a brutal poker game, you know, the, and it keeps going up. And so even though people are getting better, it keeps going higher and higher and higher. So like, no, no, no, no, they don't know enough. But it is getting better, and it's a big part of my job. And I think the most useful thing that I've done is I'm kind of a regular contributor, if you will, to a ... Asante's newsletter. It goes out, 6000 employees and not employees. They have a wonderful woman that puts that out, makes it a lot of fun, and very interactive. So I've had my articles out there, and then people just know me and will talk to me. Why do we have Alexa coming in? You know, you have to drag her out with handcuffs. No, you can't have that happening in here. So I make it a little, I make it a little bit fun by, you know, putting a face to it, that's been really effective.
Ed Gaudet:
Yeah, it's interesting when people ask about Alexa, I always say, well, have you ever been at your house and you'd be talking about a particular topic, and then you look at your phone, and you realize they're serving you up ads on that topic?
Karen McMillen:
Yes, I know, exactly. You know, so.
Ed Gaudet:
You want Alexa.
Karen McMillen:
That person's all, so we can't have her? She's just getting up to get pulled out by security. So ... That's funny. But it's been a long journey, but ... face with it, a human face with it, you need to make it frequent, and you need to make it fun.
Ed Gaudet:
That's right. So true, so true. And it has been a long journey. Obviously, we kind of got through COVID, the pandemic for the most part. I mean, we're still dealing with a little bit of a fallout, and the whiplash of it, feels at times like we're back in it again. But for the most part, I think we're through the worst. But given that challenging last couple of years, what are you most proud of personally and professionally?
Karen McMillen:
Well, I'm most proud of our company. Asante is a wonderful company to work for, just giving a free, free plan, but they immediately understood that it's okay. ... start with ... We immediately sent home, and they actually found a production went up. So I'm really proud of the way that the company handled it. We really ... I'm proud of the way our whole team is really able to come through this with all the changes and remote work, and how do we secure remote work? How do we get multifactor authentication for everybody? I think it's that really me, I'm proud of that. Our security team that really had to work to get the technology to make the notebooks happen, and proud of my company, Asante, for making it through this very difficult time. It was, had to pull and help, and workers from all over the world to try to help us through this time. So I think it it's a matter pride, ..., healthcare practitioners and also our chief staff.
Ed Gaudet:
What were some of the things you had to do in your role as risk analyst during the pandemic and even afterwards? Maybe from a change perspective, how did you have to change the way you worked?
Karen McMillen:
Right, I think a lot of it was working with the field, working with, I call it the field to be a doctor, it could be the lab. All the different organizations I work with, I wasn't able to go out there and talk to them like I used to. So it became, everybody becoming really more familiar in teams, and I so had to change the way I communicated with people, which really came up to speed pretty quickly. I think everybody realized this is what was going on and was actually really depressed about how flexible people really are. So I had to connect to people a little differently. I saw more telehealthcare options coming in, so many different Zoom call technologies and how to facilitate that, how to approve these technologies that are needed right away. How do we fast-track a lot of things? So I think a lot of my job change as far as speed and communication now.
Ed Gaudet:
Did you have to rely on other folks to help with more of the new technologies coming in, maybe from a technology assessment perspective, or were you able to handle that yourself, or how did you manage that?
Karen McMillen:
My role is to intake the security risk assessments, and they could be anything from a sound sender, which doesn't just I can handle that myself, to some of these more complex systems, in which case I have some security engineers that make sure that I ask the right questions. We need to make sure that the iPads that are being used by physicians to talk to patients meet our requirements. We have vendors that no longer could show up on sites to perform routine maintenance that wanted to use their system to remote access to reset pacemakers. And so we need to say, okay, you know, are you going over the guest network or not? I mean, this is really critical step where suddenly we have all these requests for remote access. Everybody has their own solution. How do we really weigh the urgent importance of it right away versus the rest? So it was a challenge, and a lot of times, it did come back to a management decision, which is ultimately what security is. It's a business decision. You can't secure everything, so my job is just the facts, man. You know, what have we got? What does it do? Talk to the client, understand the importance of this, and then see that backed up. I'm like most of the folks that you have on your show are executives or directors and think, I'm a little different. I'm more of the good soldier or the ... that works with these people and can report to what's going on in the field, what are the trends, and say they're able to lead the ship as well in the right direction.
Ed Gaudet:
Yeah, that must be challenging, doing that remotely too. I can imagine ... a doctor or another clinician that, she can't purchase a particular machine because it's too high risk or.
Karen McMillen:
Yeah, I get that every day, and again, it's a matter of explaining it. And we are growing so fast. Healthcare industries are in constant growth as what I've always noticed, and so getting people to understand why that is, and now with IT, as they say, it's the old cycle, the operational technology vendor is saying, where is your security analysis of your architecture, and how this is how are devices authenticating to each other? What protocols are you using? Is your Bluetooth encrypted? These type of questions are just not prepared for. And so once again, I'm going back here and then with the growth and with the change and the remote, it's an ongoing struggle, and you just kind of get through it, and you learn from every vendor that you work with.
Ed Gaudet:
Right, excellent, excellent. So outside of healthcare IT and cyber risk, what are you passionate about? You mentioned you're a lit major still. You're reading, you're writing, you're still doing.
Karen McMillen:
You know, I'm an oddball, you know, I'm an avid, avid, avid reader and get The New Yorker every week, and I listen to the poetry. I have my favorite poetry.
Ed Gaudet:
Oh, my God. I'm, I write poetry. Oh, that's so great.
Karen McMillen:
Oh, nobody ever, you know, everything from T.C. Boyle to some of these Polish poets that are translated beautifully, but, so I'm an avid reader. I've got a huge library. I've always got three books going right now. See what am I reading right now? I just finished a Thomas Hardy book. You know, it's always kind of like, what am I going to read next? It's a big decision in my life.
Ed Gaudet:
Have you read Sister Carrie?
Karen McMillen:
No, I have not.
Ed Gaudet:
Theodore Dreiser. I just recommended it to my daughters, one of my favorite books I read when I was in university. Yeah, it's pretty. I recently hired a couple of writing coaches to help me with, I'm publishing a book of poems. So yeah, so I'm trying to do that as well, build a company. I think it's important, like you got to stay connected to your other hobbies and passions.
Karen McMillen:
You know, it helps, it gives you a different perspective on things and historical fiction is always great, but I do that. So I live 60 yards from the ocean, I'm up on a cliff in a small ... working-class community in California. I just love it. I'm an outdoor person. I don't need Nordstrom. I can ride my bicycle to the redwoods and along the coastline.
Ed Gaudet:
Are you in Big Sur?
Karen McMillen:
No, I'm in a little town, little tiny town at the top of California called Crescent City, California.
Ed Gaudet:
Crescent City.
Karen McMillen:
Crescent City. It's very small, very affordable. We have more people moving in now since remote. I used to be in Grants Pass, California when I worked for Asante, but they sent us home. So we just moved to the beach house here and really love it. So it's been a lot of time outdoors. I'm picking up weaving, learning how to weave. Yeah, it's very technical, so I think people like it.
Ed Gaudet:
Excellent. What would you tell your, if you could go back in time, what would you tell your 20-year-old self?
Karen McMillen:
Other than, take more math?
Ed Gaudet:
That's right. That's funny.
Karen McMillen:
Man, I wish I had my dad try to tell me. When do I listen? No.
Ed Gaudet:
I have a daughter who's just graduated with a quantitative finance degree, so. I figured I'd do my math through her.
Karen McMillen:
Yeah, no, I was able to get into a UC with only algebra and geometry. Frankly, I feel that I was done wrong, I shouldn't have been forced to exercise that other side of my brain, and I wish I had.
Ed Gaudet:
Yeah, I'm the same way. That's so funny. And then, lastly, I'd be remiss if I didn't ask this question since this is the Risk Never Sleeps podcast. What is the riskiest thing you've ever done?
Karen McMillen:
Oh boy.
Ed Gaudet:
I love this question because people always go, oh boy.
Karen McMillen:
You know, I'm being risk-averse, actually, I'm not a really risky person. I mean, I've listened to some of your podcasts, these people jumping out of your skin. Yeah, no, I haven't done that. It's like, well, you know, in summer camp one year, they had us get to the top of Mount San Gorgonio, Rieback, they called, Southern California. We hiked 20 miles, I was like 17. When we get to the top, and you'd been a hard winter, and the trail was about a foot and a half wide, and it was all iced in, and there, it was right at the top. And the counselors looked at each other and said, yeah, yeah, yeah, we all get the girls across here. And so it was like 25 yards of this, and it was so steep that, you know, it was right next to the edge and down the straight down. And so, I had tennis shoes on, I remember sweating through and looking at my tennis shoes. So somehow, I made it across, but that was probably the riskiest, and I should have said no.
Ed Gaudet:
But that's very good. That's cool, that works. Anything else you'd like to add before we wrap up? Anything you'd like to tell our listeners?
Karen McMillen:
No, not really. I think that it's a fantastic industry. Keep your eyes open, then work hard, and somehow we all work together. We'll hold the fort.
Ed Gaudet:
That's right, and that's a good way to end. This is Ed Gaudet signing off from the Risk Never Sleeps podcast. And if you are on the frontlines protecting patient safety, stay vigilant.
Ed Gaudet:
Thanks for listening to Risk Never Sleeps. For the show notes, resources, and more information on how to transform the protection of patient safety, visit us at Censinet.com. That's C E N S I N E T.com. I'm your host, Ed Gaudet, and until next time, stay vigilant because Risk Never Sleeps.
Sonix has many features that you'd love including upload many different filetypes, enterprise-grade admin tools, automatic transcription software, powerful integrations and APIs, and easily transcribe your Zoom meetings. Try Sonix for free today.
