Navigating Cybersecurity Obstacles in Rural Healthcare

I'm Mary Ann Kolbisak-Begie, Executive Editor at Information Security Media Group.

I'm at HIMS 26 today, speaking with Greg Sieg, who is SISO for the University of Michigan Regional

Health Network, where he leads the Information Assurance Department for the University of Michigan

Health West and the University of Michigan Health Sparrow. So Greg, for starters, tell us a little

bit about your organization for those who might not be familiar with the University of Michigan Regional

Health Network. University of Michigan Regional Health Network comprises of two hospital systems,

as we mentioned, Health West and Grand Rapids and Sparrow in Lansing. We service anywhere from

real communities up to, you know, urban health care, anywhere from inpatient outpatient and

military care, you know, from which the full gamut. So now, Greg, you were here at HIMS,

speaking about challenges that small and rural health care organizations face. What sorts of

cyber challenges do you see these world and smaller entities, including your own facing?

Yeah, so cyber challenges, you know, we were getting attacked on a daily basis here,

and, you know, the thing is that the thractors have to be right once. We have to be right every time

at the end of the day. And, you know, that makes kind of an unfair advantage, if you will,

that we're dealing with. And on the rural side, the funding's just not there to

bringing all the tools and have the resources available to look at these at a daily basis.

You're dealing with, do you replace an MRI machine or do you increase your EDR or your

cybersecurity footprint? And most of the day, the MRI machine is going to win out. We're here

to serve the patients and the patient care of the community. And if we put everything into cyber,

we can't fund our MRIs and our other devices to help that mission of the overall organization.

So it's a balance that we have to deal with from a day to day to make sure that we're making

the right decisions. And he said, we got to make those right decisions every time. So we do that

typically by trying to layer our security so that any holes that get missed are picked up within

those layers, such as, you know, it's referred to often as the Swiss cheese model. But trying to

keep that all together and make sure that as we're doing this, we're bouncing, you know,

what the priority of organizations, which is that patient care.

So are there any promising or realistic ways that you see on the horizon, either, you know,

with government programs or industry programs or other sorts of initiatives that could help

address some of these challenges when it comes to funding and resources and, you know, building up

that bench-strength, you know, the rural community needs when it comes to the healthcare cyber

workforce. Yeah, absolutely. There's several programs out there right now, grant programs,

and other initiatives that I think are really helping, you know, that strategy.

The problem that we're seeing right now is the ability for the rural facilities to be able

to take that information and move forward with it. You know, a lot of times when we think of

real health, we think of critical access care hospitals, and systems that, you know, still

probably have an IT department and whatnot, but what a lot of people don't think about is the

long-term care facilities, the dental offices, the, you know, all these other services are out there

that might just be a single practice, you know, and don't have those types of resources.

Many times in a physician office, it's a physician doing their own IT, you know, and they don't

have those cyber resources or that understanding. So when a grant comes out safe from the government

or from Microsoft or whatnot to do that work, they don't know where to start with that grant.

They just know that, you know, they're there to take care of the patient, and that's what they

need to do, and that they need to make sure they do it safely. So I think right now one of the gaps

I see is how can we bring these grants together and then, you know, disseminate these through?

We've seen a little bit work in Michigan with different groups. The Michigan Healthcare

Association just recently started a cybersecurity initiative with a group to try to bring some of

these initiatives to these rural health facilities, and I think there's some promise there,

but we've got a lot of work to do in this area still.

As far as your own organization, how are you trying to, you know, stretch your resources?

Yeah, you know, I think that's the name of the game with cyber, unfortunately, is, you know,

we're competing off of a small budget of IT resources, which are also being stretched at the end of

the day. So we're doing that by, you know, in areas that we can try to bring, maybe not the best

of breed, but the best of, but utilizing systems that have multiple different security functions

within them that maybe we can get a little better bang for our buck more or less. So we're looking

at where we can bring in maybe the best of sweet versus the best of breed that gives us a lot

better bang for our buck, and still lets us increase our security footprint across the board.

As a system in a, you know, smaller rural area, what keeps you up at night most right now?

Oh, there's a lot of things that keep me up at night, but, you know, I think just like anything

else, we always find ways to recover, you know, AI is the one that gets kind of constantly brought

out there. You know, I look at and go, what from, what can we utilize AI to help us? We've seen a lot

of good work within SOX and within EDIRs and some of those systems of utilizing AI to really strengthen

our cybersecurity. So, you know, essentially right now it's the battle of AI and staying

on top of it. I look at it as a challenge of making sure that we're utilizing it properly

internally, but also where can we utilize it from a cybersecurity standpoint to help battle that

out. So that's probably the big thing right now, but I look at that as just another challenge

that we face and, you know, that's the, the thing with cybersecurity is just like technology

or ever changing. So, you know, every, every other week there's something that new that keeps me up.

In terms of AI, are you using it at all for cyber issues right now?

Yeah, we're definitely integrating it and I think it's hard to find a product right now that doesn't

help AI within it. So, we're definitely utilizing systems to, you know, help look at algorithms,

help look at different attack factors and to help pull those out and help our staff, you know,

recognize those faster. Well, thank you so much, Greg. I've been speaking to Greg Sieg.

I'm Mary Ann Kobasek McGee of Information Security Media Group. Thanks for joining us.