Subscribe
Share
Share
Embed
Guest: Judith Germano, Cybersecurity Expert and Founder of Germano Law
Episode Summary:
In this episode of Healthcare Nation, Rick Gannotta sits down with cybersecurity expert Judith Germano to discuss the evolving threat landscape in the healthcare sector. With her extensive background in economic crimes and as a distinguished fellow at NYU's Center for Cybersecurity, Judith offers invaluable insights into the challenges and strategies for protecting patient data and healthcare systems against cyber threats.
Episode Summary:
In this episode of Healthcare Nation, Rick Gannotta sits down with cybersecurity expert Judith Germano to discuss the evolving threat landscape in the healthcare sector. With her extensive background in economic crimes and as a distinguished fellow at NYU's Center for Cybersecurity, Judith offers invaluable insights into the challenges and strategies for protecting patient data and healthcare systems against cyber threats.
Key Topics Discussed:
- The State of Cybersecurity in Healthcare: Judith outlines the current threats facing the healthcare sector, emphasizing the value of healthcare data and the industry's vulnerabilities.
- The Change Healthcare Ransomware Attack: An exploration of one of the most significant cyberattacks in the healthcare industry, including the implications of paying ransoms and the complexities of third-party risk management.
- Federal and Regulatory Responses: Judith assesses the effectiveness of existing regulations and the role of federal agencies in enhancing cybersecurity within the healthcare sector.
- Emerging Threats and Innovations: Discussion on the risks associated with medical devices and wearables, highlighting the importance of incorporating cybersecurity measures in the early stages of innovation.
- Cybersecurity Best Practices: Judith shares advice for healthcare professionals and organizations on safeguarding against cyber threats, stressing the importance of proactive measures, crisis response planning, and the role of cyber insurance.
- Judith's Journey to Cybersecurity: Judith shares her career path, from her initial interest in crisis management to becoming a leading authority in cybersecurity.
Conclusion:
This episode sheds light on the critical issue of cybersecurity in healthcare, offering expert insights and practical advice for navigating the complex landscape of digital threats. Judith Germano's expertise highlights the necessity of prioritizing cybersecurity and privacy in healthcare innovation and operations.
Creators & Guests
What is Healthcare Nation?
Welcome to Healthcare Nation, the podcast for enthusiasts passionate about the healthcare sector and eager to explore its current state and future trajectory. Join us as we delve into the heart of the healthcare, biotech, and MedTech industries with the help of top thought leaders.
I'm your host, Rick Gannotta, with over four decades of experience in healthcare, spanning from the hospital bedside to the boardroom, C-Suite roles in renowned health systems, advising game-changing startups and established companies, and educating the next generation of healthcare leaders.
In each episode, we'll bring you conversations with distinguished guests, including innovators, scholars, practitioners, and influencers shaping the healthcare landscape. Gain valuable insights from their perspectives and stay updated on the latest developments, trends, and noteworthy news.
Join us on this exciting journey and become a part of the Healthcare Nation community. Subscribe now on Apple Podcasts, Spotify, or your favorite podcast platform to stay in the loop.
Rick Gannotta: [00:00:00] welcome to the Healthcare Nation Podcast, your host Rick Janata here this week we've got, I think, an incredibly relevant and timely subject and, and honestly, a thought leader to address that.
So there's been a lot happening in the world of cybersecurity and healthcare, and Judy Germano is an internationally recognized thought leader on cybersecurity governance. And privacy issues. Lemme give you a little background on Judith. She was the chief of economic crimes for the US Attorney's Office for the District of New Jersey for 11 years.
Now she's in her own law firm, Germano Law, where she provides client focus. Representation in services to a variety of different individuals and and sectors and companies. Across the board, she advises on cybersecurity privacy, also represents on individual corporate securities issues, fraud, white collar crimes, and also any matters of corporate governance, internal investigations, crisis management, and civil defense.
[00:01:00] But she's also a distinguished fellow at NYU Center for SEC Cybersecurity. She's a professor at the School of law as well as the Stern School of Business. She leads NYU Cybersecurity Task Force, and she has an incredible round table series where she brings together corporate executives and senior government officials to explore and address so many of the challenges in cybersecurity.
She also spearheads NYU's women leaders in cybersecurity programming. It's an annual conference, which is really absolutely fantastic. I think really brings cybersecurity in the forefront and incredible women who are part of that effort moving forward. She's highly sought after, obviously, for speaking and her law work.
We're so happy to have her here today. And with that, I give you Judith Ano.
[00:02:00] Judy, welcome to the Healthcare Nation Podcast. I've been waiting to have you on as a guest for a while. Couldn't be a better time with everything that's happening. The world of cybersecurity and its impact on the health sector. So number one, so happy to have you here.
Judith Germano: Thank you. I'm delighted to be here. Thanks, Rick.
Rick Gannotta: Listen, let me just kind of level set for myself and the audience. I think that, you know, from a perspective I. If you say ransomware or nefarious attacks against US health systems, this is really picked up and I think at least from my point of view, it is called out the industry's vulnerabilities across the board.
I think last year there's like 88 million Americans were affected by these data breaches. We know that it's much more this year going up, I think like 50 or 60% more. Obviously patient information. The sensitivity of that, I think in the future a lot more when you even get into [00:03:00] genetic and test results, et cetera.
Lots of vulnerabilities out there. All that said, I wanted to ask you, can you describe right now and help us better understand the threat landscape, you know, what does it mean, what's, what's its implications for the health sector? And the recent activities, I think really highlight a lot of the concern that I'm, that I'm voicing.
And I will get into change healthcare in a second, but can you just bring us up to speed on, on what the threat landscape specifically for the health sector is all about right now?
Judith Germano: Sure. Thanks so much Rick. It, it's a serious problem and particularly because of the healthcare sector's, value of data and critical. Importance within our ecosystem, you know, for individual society and the government. So healthcare targets are particularly interesting, unfortunately, for cyber criminals.
Given that, you know, the data, the, [00:04:00] the systems and the fact that health and safety, which are paramount can be implicated by these attacks.
Rick Gannotta: Yeah. You know, and obviously folks have been looking at what's happening in the press with respect to Change Healthcare, which is a subsidiary of of Optum. Can you talk a little bit about that? This has been described as like the worst US. Attack certainly in, in healthcare, in in history. What are the immediate impacts of this on the folks who are associated with change?
I guess the providers, patients that are in there. And also I think there's been talk that they've paid and who did they pay? If you can comment on that, what are the implications of paying a ransom and did Optum structure have anything to do with that? I know that's a lot to bite off on, but what are your thoughts on that?
Judith Germano: Well, let me just back it up and say that we've been addressing ransomware issues for years and each year it seems to continue to grow up, grow and increase in terms [00:05:00] of the, the number of threats, the impact of threats. And again, the healthcare sector has been often targeted particularly over the last several years with regard to change healthcare.
This is one of the most disruptive cyber attacks. In years as a ransomware attack, it's crippled pharmacies across the United States including pharmacies that service hospitals everything from large hospitals to single doctor offices are implicated. And it. Causes a lot of harm. Obviously if people can't get their, their prescriptions processed and paid it can greatly impact health and safety as well as the profession and the function of the business.
To your question about the pay it's actually been. Very publicly reported that it appears that change healthcare, and this is just from public source information. They appear to have paid a [00:06:00] $22 million ransomware payment based on blockchain analysis to a group known as. Black Cat.
And there's a little bit more to the story though now as been reported including in Krebs in security, that cyber criminals who worked, who say that they worked with Black Cat, actually haven't received their cut. And part of what happened is change healthcare paid the 22 million to have the data that was stolen, destroyed rather than leaked.
And now these cyber criminals. Who said that they gave black cat access to the systems still have that data that purportedly was destroyed. So this opens up so many different angles that, that we could talk about. But you know, first of all, when. Companies are victims of a ransomware attack. They it's twofold, often attacks.
One, if you want the [00:07:00] operability of your systems back is one aspect, and two is data being siphoned out that you may pay to have. To, for the certainty that that data will be either returned or destroyed, the copies that were pulled out destroyed rather than leaked. And it puts extra pressure on victims of ransomware attacks that if the data is leaked, you can't put that toothpaste back in the tube.
Rick Gannotta: Yeah, it's almost,
Judith Germano: shows, oh, go ahead. Yes.
Rick Gannotta: no, I was gonna say, it sounds like a hostage situation when you think about it. Also holding the data back or, or drips and drabs coming forth.
Judith Germano: Yes. So initially when ransomware started some years ago, we saw attacks that primarily focused on. Holding, you know, access, preventing access to your systems and functioning. But then there was this extra extortion angle of s siphoning off the data, holding it hostage, as you say, and not giving it back until the ransom was paid, which sort of ups the pressure on the victims to [00:08:00] pay the ransom.
And like in a hostage attack, victims often say, well, show me a proof of life. Let me sh. We see that you actually have the data that you actually can decrypt what you've taken from me. And then to the extent that the analysis to pay or not pay becomes such an important question here. Change healthcare is a, a good example of serious pressure, why an organization might feel inclined to pay, but also serious risk that you're paying your cyber criminals and you may or may not get what you're paying for.
Rick Gannotta: Yeah. I have to ask you structurally, is there, would there have been a better construct and I this is beyond my area of expertise, but that Optum could have put in place with respect to change or any of its subsidiaries that would've hardened the target for lack of a better way to, you know put it out there?
Judith Germano: Well, it's, it's always easier to Monday morning quarterback in cybersecurity incidents and [00:09:00] events. And so I'm not gonna speak specifically on this one at this time, but there's a lot unfolding and I think that. The key aspect of this attack and the broad reaching impact really goes to the importance of managing third party risk for all organizations in the healthcare sector and throughout.
The, you know, this is something, I've actually published a white paper on this some number of years ago about the importance of third party risk and responsibility in cybersecurity. There's a lot of attention on it, but we still haven't fully. Address the risks sufficiently. So this attack highlights how the, the importance of the interconnectivity of the healthcare ecosystem and how each part of the chain needs to step up their cybersecurity.
It's, it's this one, you know, hospitals and doctors are impacted, but they're not the ones who suffered the, the harm. And we've seen this in many [00:10:00] other industries and examples, but this is a compelling third party risk management scenario.
Rick Gannotta: Right. Let me, let me shift a little bit to, I guess, maybe government or regulatory side. And from what I know, we rely more on voluntary standards for network protection than some, you know, codified. Set of expectations that are more regulatory. I don't know if that's true or not. This is just based on some of my research, but there's gotta be a better way.
And, and all that said, are there some steps and what steps should the federal government take to enhance? And, and really again, you know, better hardwire, the cybersecurity aspects of the healthcare sector.
Judith Germano: Well, Rick, we've been seeing over the years growing regulations on companies with. Regard to cybersecurity and increasing accountability for companies and their, their managers in terms of ensuring that they get cybersecurity, right? [00:11:00] So there are regulations. I mean, the SEC in July 2023 put out additional requirements on cybersecurity for publicly traded companies.
So that impacts. Many in the healthcare sector. And then there's also HIPAA regulations that have been on for a long time in terms of the necessary protection of patient information and confidential information. DOD contractors have also regulatory requirements, so there's quite a, a panoply of, of obligations and quite a sea of risk for.
Failing to navigate the, the waters of regulatory opportunities. Then it goes to the question of how well are they working and is it enough? And I think we start by the ground principle that cybersecurity is very hard to get right. And there's increasing tools and technologies that companies can use, but there are still vulnerabilities.
You know, the, the best, most secure [00:12:00] organizations are still getting hit despite billions of dollars invested in cybersecurity. But this change healthcare situation is really a, a call to action for throughout the sector at whatever level of the sector you are in and importance of. Adhering to the regulations and ensuring good cybersecurity hygiene in terms of multifactor authentication, proper coordinating off of sensitive data.
Updates, firewalls, diligence, you know, penetration testing of networks and ensuring that you are not holding on your system any more than you need to do the job that you need to do. And also interacting with systems not beyond what you need to do because we really are all at risk. The risks are significant, the harms are critically important and concerning.
Rick Gannotta: In, in my history, I've had the opportunity to lead a couple of academic medical centers that were associated with, with large universities and those [00:13:00] universities separate from the, the, the health enterprise had DOD contracts and engineering or military, et cetera. And I was often told or led to believe that one of the more porous ways into those sites was through the hospital or the healthcare.
Now, I don't know if that's true or not, but perhaps with patient information, et cetera. I had always thought that, that because of our, focus on HIPAA and some of the other just inherent security. Levels that we take in hospital care delivery settings, that they would be fairly fortified, but apparently that's not the case.
Is that the lines of, of your understanding as well, Judy?
Judith Germano: Sadly yes, because hospitals are in the business of saving lives and keeping people healthy, and that is the number one priority. And as they become more and more internet enabled and dependent with information as well as devices and systems, the. [00:14:00] The focus on cybersecurity has not always been at the forefront to the degree that it should in terms of having the financial and human resources and experience to, to make sure that good cybersecurity is in place.
And also just juggling that with all the other priorities. This you know, the. The increasing prevalence of cyber attacks on the healthcare system shows that that has to change. This has to be a high priority, but it is not easy. I was in a session more than a decade ago where we talked about the hope of having international norms on cybersecurity and hoping that hospitals, for example, would be.
Not part of, you know, the, the attacks and that there could be higher standards. And sadly that was not you know, didn't play out in the practical world. I, I'll admit I was cynical back more than a decade ago. But it's not, that's not a rewarding area to say, well we saw that coming 'cause we know how lucrative the.[00:15:00]
The targets are, and when the pressures are high, maybe victims are more likely to pay than to watch people die. But that just shows we have to prioritize cybersecurity. We have to get just much ensure there are better resources. Ensure there are increasing expertise. Hopefully with with the use of AI enabled technologies, there are ways to improve cybersecurity in terms of finding vulnerabilities and enhancing systems and coordinating off data.
But at the same time, AI is in the hands of criminals as well, and they can leverage those for pernicious attacks.
Rick Gannotta: So let me stay on, on that theme and ask you, I'm gonna put you on the spot because of your previous role. And, and just your, your depth and breadth of experience, can you give us an idea of, of how the federal responses, the agencies, H-H-S-D-H-S, the FBI, the three letter agencies, in keeping this component the healthcare sector [00:16:00] safe, what are your thoughts on the latest strategic plans?
And I'm saying that in light of not only this recent attack, but you, you mentioned international cooperation or. Or lack thereof. And if these bad actors are coming from outside the US I would think that that is a national security threat.
Judith Germano: It is a tricky question because they're, you know, they're trying hard. Our government is trying very hard and there are some phenomenal people in government in CISA, at DHS, in HHS, at the FBI, you know, working on these issues. Day in and day out and really putting a blast of information out that people need to know what tools to protect themselves and their organizations and addressing bad actors.
So I commend the really heroic efforts in that space that said, there's so much more to be done, and there's only so much that one organization can do because of the interconnected ecosystem in healthcare as [00:17:00] well as other cybersecurity. Organizations and challenges or, or internet enabled organizations and challenges.
So it's one thing for the government to put out warnings, but we have to ensure that people on the other end have the capacity and the knowledge and are actually heeding those warning warnings, increasing their cybersecurity, addressing proactively the threats. So there's only so much that one player can do in this big puzzle, and I think.
We all need to step up and do more. It's, it's very hard and it's a constant effort and constant vigilance is required.
Rick Gannotta: So let's talk about the, the perpetrator, perpetrators, the bad actors. One thing I'm curious and, and knowing more or understanding a little bit more, are the folks who go after, say, FinTech, the same folks who are going after healthcare, or is there literally certain groups that are targeting.
Healthcare, med tech, you know, that [00:18:00] entire ecosystem. And are they different than those that are trying to interrupt or co-op some element of, say, defense or the finance sector?
Judith Germano: So there are multi layers of cyber criminality and nation state attacks that we're seeing in cybersecurity, and there are people who have. Specializations, for example, in obtaining credentials and gaining access. There are others who have special, special experience and skills, and once they have those credentials and access actually infiltrating the networks.
Others who may be better at recognizance within systems siphoning out data. Initiating destructive attacks. And then there are others whose business model is to specialize on leveraging the information, negotiating for the highest ransom, et cetera. So it is a, a criminal, there's. Criminal enterprises, criminal ecosystems.
I think the change, healthcare is a good example [00:19:00] where we're seeing in, in the media, you know, this disconnect between the, the people at different stages of that organization or of, of the attack. You know, the person who got the access credentials is saying that they weren't paid. Their share that black cat reaped in the ransomware.
So it just shows how they are many levels of, of this. Do they specialize in certain companies or fields or healthcare for example? I think that depends. I. I, I think that there are certain criminal actors who may have areas of specialty or focus where they may, put their their intentions.
There are also some who are supported or funded by nation states who, you know, governments who want them to focus on certain areas of the infrastructure. And then there are others who are agnostic, you know, [00:20:00] industry agnostic, and they're just looking for, let me put out an AL algorithm and find wherever a certain vulnerability may be and hit anybody I can and go out for dollars.
So it really does vary. I.
Rick Gannotta: Yeah, and I, I would imagine that just the synthesis between MedTech, FinTech social media. Consumerism. There's a common denominator through all of them that probably represents an appealing target for any bad actor that's out there. I, along the lines that you're saying, let me, let me get back to folks who have been hit by this.
And, you know, I, I have an acquaintance of mine who's a. Was in a radiology practice very big practice. He was held up for ransomware, had to pay them in Bitcoin. It was, it was just incredible to me. That happened. That must have been four or five years ago. I don't know how pervasive the issue is.
I'm thinking that it's much more than folks think. But let me ask you about. How do we protect [00:21:00] ourselves with even cyber insurance when we get down to the issue has happened? How important is cyber insurance for healthcare organizations when you look at this? Because it's becoming so, you know, prevalent.
Judith Germano: It, it is very prevalent and it is prevalent on all scales, you know, from individual providers to major hospitals, to massive pharmaceutical companies, for example. But cyber insurance can. Be very helpful. Helpful. What we've seen in the last couple of years is that the price of insurance has gone way up and the amount of coverage has gone, unfortunately down.
So certain companies and organizations need to have cyber insurance as part of their contracts to ensure that they're doing business. They may be required. Others want the cyber insurance to know that they can get coverage for, for an attack in terms of potential insurance that may cover ransomware payments, [00:22:00] insurance that may cover, a review of the systems a restoration of systems recompense in a data breach situation where they need to send out data breach notices and potentially, you know, address victim harm to individuals from data breaches.
So there's different. Types of things that insurance may cover. Though there are some companies who have said, these attacks are so large and so devastating that I'm going to self-insure because it may just be the end of my business if this happens. Or it may be that the amount of coverage that I get is not sufficient.
So those, those are different companies are taking different approaches. But as a general basic rule, having cybersecurity insurance can help and is often now becoming a standard requirement to do business with others.
Rick Gannotta: Let me talk about. You know, an event itself, or not, not retrospectively, but for an institution that [00:23:00] may unfortunately be in the middle of some sort of a ransomware attack or a hack, et cetera, are there best practices for in the moment response recovery? What should healthcare entities even consider when it comes down to an initial response?
What are the best steps if you were to advise someone on a, on a process?
Judith Germano: Great question, Rick. So the best steps start before any incident occurs. It's necessary to be proactive, given the enormous prevalence of cybersecurity or cyber crime attacks. Companies are judged more often on how they handled the attack, what they did to prepare. To prevent the attack and how quickly and transparently and well they responded, and the fact that they were victims anyway.
You know, there are so many different ways that major companies and governments are being attacked. It's what did you do to prevent it, and how well did you respond? So it's essential [00:24:00] to have, as I mentioned earlier, you wanna have two factor authentication is. A necessity. It is a basic thing that we're, you know, with exceptions should be, you know, employed everywhere.
It can, it's a low cost solution. There's also the updates, the firewalls, the patching, and I. Restricting access, worrying about insider as well as external threats. Those things are all very important proactively, but then you get to how will the organization know if they are victims of an attack? What flags do they have in place to identify issues or problems?
And then who's in charge? This, again, should be decided ahead of time, but who, how are you ensuring proper notice of attacks? Are, are there flags? And then who's looking at those flags and who do they report them to? And then when you have notice of an attack, how swiftly do the people who are responsible for the response.
How swiftly, how effectively do they address it? [00:25:00] And a lot of times there are judgment calls, understanding, making sure that you're asking the right questions to know, you know, we may be seeing something on a certain computer. Well, how quickly might we have to isolate that computer or shut down the entire network?
Assessing the risk at every stage. Understanding is this reportable? Do we have to tell our regulators how quickly do we bring in law enforcement? Maybe they can help us. With identifying the threat actors and identifying the, the modus operandi of the threat actors where they may be going in their systems based on the data points that you can get from, from the threat.
So how well, and then how effect, how well is the response handled and how effectively are the communications both internally and externally? Communication is such an important piece of properly managing the crisis. Communication with stakeholders within an organization, with public, with constituents who may be impacted with regulators.
All of those things really make a big difference. [00:26:00] And the best thing is to practice it, study it, talk about it ahead of time. Get well prepared so that you're at least have some muscle memory of what needs to happen in an actual crisis. And then realizing you need the playbooks, you need the plans, but a lot of it is a flexible, flexible time in the moment decision making.
So you need people with good judgment who are going to. Respond well in crisis and not focus irrationally or unnecessarily on blame in the moment as opposed to, let's get through this crisis and make sure we're doing the right thing. I.
Rick Gannotta: Now I think about a dynamic process like the delivery of healthcare services for patients, for individuals, and how interruption in that service can have a, a direct impact on someone's health, their condition, even their life, and thinking about that and, and again, potential disruption to workflow. I, I, I would imagine [00:27:00] that that having drills or redundancies or some operational plan, so that it is more than service recovery, it really is continuation
Judith Germano: Right.
Rick Gannotta: of service is essential.
Do you agree with that or any insights along those lines?
Judith Germano: Completely agree. Rick. You know, redundancies and ensuring a, a continuity of business operations is so important in the healthcare sector. People need their medicines, people need their treatments. The system has to continue to function. So ensuring adequate redundancies and testing them to make sure that they actually work is, is really important.
And also prioritizing the key points, right? Health and safety first, what does that mean for a particular organization? And, and then protecting client patient information, highly important. What does that mean in a particular, in. Organization, financial systems, business operations, all of those things, they should be discussed.
[00:28:00] It should be part of an overall plan. And then testing the plan reveals the weaknesses in the holes, so you understand those ahead of time, preferably, as opposed to being caught, caught short in, you know, in an incident response situation.
Rick Gannotta: You know, Judy, there's so much happening positively on the med device side with wearables and just so many things to advance. Healthcare remotely standoff care care in the home. I think that probably presents some unique challenges when you think about cybersecurity, particularly when you have a lot of it in the hands of a consumer or a patient, but it's opening up this.
Doorway, this portal. How does cybersecurity threats affect medical devices and, and are there, I know there's some regulation that came through over the past year or so, but is it enough or do you see this as a, as a emerging threat?
Judith Germano: I do think this is an [00:29:00] emerging threat or it's a, it's a threat that's here now and continuing to be of greater concern as we. Become more dependent on internet enabled devices, which can be wonderful in helping people to you live their lives better or have better access to care or to information, but it also presents additional portals of risk and it's something that needs to be managed.
So it is really important that as we adopt these new technologies, we think of the cybersecurity risk and implications. Having a wearable can be very useful, but is it reporting data? Such as as location or other personal information that could cause damage to the person or, or harmful results. Is there are there default passwords being used on internet enabled devices that could make them more prone to hacking what type of security is insured and checks are put in [00:30:00] place to address cybersecurity concerns?
Particularly if someone could tamper with. A medical device and change you insulin, amounts that are being provided or, or other risks like that. You want to make sure that si cybersecurity protections are there and constantly tested and constantly evolving as the threats continue to evolve.
Rick Gannotta: Yeah, because it has a very unique and individual nature to it. When you think about medical devices, as you mentioned, like an insulin pump or some other lifesaving device, I. I think it would, it's an area of particular concern I think for anyone who's been in the med tech industry working on some, I think really groundbreaking and care changing innovations that are out there.
So, more to come on that. Let me talk a little bit about innovation. Security, and I almost think about this similar to or akin to regulation. How [00:31:00] can healthcare organizations, startups, other folks who are out there in the health sector balance this need to continually innovate, push forward with these adoption of technologies like we're talking about, but also maintain this imperative to cybersecurity?
I think it's important. Is there a balance or what, what's your, what's your thoughts on that?
Judith Germano: It has to be cybersecurity by design, cybersecurity, and privacy by design. Baked in from the beginning. And now that's easy for me to say. Whereas when you have a new product and a new idea and a a, a big. Opportunity with a small budget, you know, how do you balance that? But given the significant risks and the threats that are involved and the potential liability, if it's not done appropriately it's, it's essential to bake in to the design and in the innovation innovative stage from the start.
What are the cybersecurity implications of this product? What are the [00:32:00] privacy implications of this product or this application? And are we doing what we need to do to address them in the most responsible way?
Rick Gannotta: Now lemme stay on that theme as we get to the end of the show here. What advice would you give to healthcare professionals, executives folks who are in, you know, founders of startups and organizations across the board? I. To safeguard against these cybersecurity threats, are there resources, are there best practices that you would recommend for a Go-to source or the source of truth on this that you yourself really subscribe to?
Judith Germano: Yeah. Well CI A-C-I-S-A is an organization with part of the Department of Homeland Security that focuses on helping organizations of all sizes address cybersecurity threats. I think they do a. Very good job of putting out information, including healthcare sector specific information. In [00:33:00] terms of understanding what the threats are, I think the biggest point is that cybersecurity and privacy have to be prioritized within the organization.
Understanding there are many priorities, but a head in the sand approach is not acceptable. We're so far beyond that, you know, by, by a decade, but we're still seeing. Shortcomings in terms of basic cybersecurity steps and hygiene that have to be followed and companies need to understand that they, you enlist either internally or through external resources, the right talent, the right information, the right briefing on cybersecurity threats, and make sure that they are practiced and poised to respond when the probably, unfortunately, inevitable attacks do occur.
Rick Gannotta: Judy, I've gotta wrap it up with this question and I ask it of many guests, but for you, I think it's obviously it's, it's so much more pertinent right now. How did you arrive in this place with cybersecurity as as a focus? [00:34:00] Given your, your legal background, your lawyer the areas of expertise that you have, obviously in the, in the, in the world as a, a, a member of the prosecutor's office in, in, in New Jersey, et cetera, where you could have gone with this.
How did you, how did you arrive at this place and where are you going?
Judith Germano: Well where I'm going remains to be seen, but on how I got here the, the short version is I actually went to law school interested in becoming a helping companies. Through crisis and becoming a crisis response and strategy. Pro, you know, expert and advisor, and then got to law school and realized how much I loved the practice of law.
And the opportunity to be a federal prosecutor was awesome and amazing to me. And I loved the career with government for 11 years, but part of my last years in government was working on cyber crime, overseeing cyber crime cases and prosecutions and [00:35:00] working with many companies. Back now in 2013 is when I left government in responding to cybersecurity incidents, and I saw there that there was a major.
Problem and opportunity to help companies better understand what they needed to do to get ahead of this. So when I started my law firm in 2013, people said, no one's gonna pay you for that. And I said, well, this is really important. I, I want to people need to get ahead of this. Organizations need to understand how to appropriately respond and.
Address proactively cybersecurity risk, how to work with the government have the right conversations to help us all get through these kinds of challenges. So August, 2013, I started my company. Target was November, 2013, known in December, 2013 and one after the other. We had Anthem shortly thereafter.
And it's just been a, a very busy decade or so.
Rick Gannotta: Well, Judy, it's [00:36:00] been an absolute delight to have you on the Healthcare Nation Podcast. I predict we will have you back if you're open to it because there's so much going on in the space and you're just such a fantastic, again, source of knowledge and truth on the subject. We're so glad you're in the field and great to see you and thank you so much.
Judith Germano: It was my pleasure. Thank you so much for having me on on your show.
Rick Gannotta: Take care. Bye.