Hannah Trum: I'm Hannah Trum, and this is HIPAA Critical, a podcast from Paubox where we discuss security, technology, and compliance news with healthcare industry leaders. A data breach’s financial and reputational risk isn’t unique to healthcare or industries that touch sensitive or personal information. Organizations of all shapes and sizes need to seriously assess their cybersecurity stack and find weak spots in their infosec protocol more often than they probably are. If your organization doesn’t have a dedicated cybersecurity or compliance team, how would you learn more about what you should be doing? Where can you turn to? How do you even know what you’re supposed to do? My guest today is Jane Harper. Jane is the senior director, information security risk management and business engagement at Eli Lilly and Company. Jane has decades of experience in information technology across various industries, including healthcare, and has created and implemented infosec policies from the ground up. She and I discuss the importance of a robust cybersecurity stack no matter the size of your organization, how to use your professional network to your advantage, and we discuss advice for the next generation joining the industry. Hi, Jane. Thanks for joining me today. I'm going to jump right into these questions. You have almost two decades of risk and security experience in various industries, including finance and health care, to sectors often hit relentlessly with cyber-attacks and are literal gold mines for bad actors. Do you think that all industries should handle sensitive information and prepare for and assess risk in the same way?
Jane Harper: So, that is a great question.
What I would say is that there are many similarities and differences in both what and how risk management is executed. I’ll separate my answer into the “what” and the “how” perspective of risk management.
Absolutely, all organizations need to do it. Because all organizations have some risks. Risk is inherent. We have to continue to say that over and over again, none of us are going to get away from risk. So the needs assessment is important for every industry in every organization.
Now, here's where a little bit of the difference comes in. From a different perspective, like the uniqueness of various industries, finance, healthcare insurance, every organization within every industry can have a unique risk.
And they have to be managed, uniquely.
When I think about this, I laugh sometimes because the fundamental misunderstanding of what true risk management is getting lost in these types of messages. I often see organizations or people jump straight from threat to risk. They're not the same thing.
So each organization will need to understand its own threat landscape, the vulnerabilities associated with it, and then assess their risks.
Now, let's talk a little bit about the how.
From the “how” perspective.
There can also be similarities and differences foundationally. You must have a consistent repeatable process for how you identify and treat risk. You have to monitor, you have to report and all of those wonderful stages in between.
In my book, Risk Management 101, I talk about the seven phases that I have found success with. When we talk a little bit about the difference, it goes back to that uniqueness. Each organization's individual tolerance and appetite.
There may be risk in an organization that the executive leadership team decides they can accept. It doesn't necessarily mean that the organization down the street and around the corner does the same.
Hannah: It's not a one-size-fits-all kind of thing.
Jane: You got it. It's not a one-size-fits-all type of thing.
Hannah: This leads me right into my next question. I say this in every episode, being proactive is the name of the game in cybersecurity. You have led successful risk assessment and program implementations across hundreds of departments, which are very proactive steps. What do you think is the first step any organization should take to identify risk within their data security?
Jane: Great. So, for me, risk management is about the things that are important. We only execute risk management rules on the things that are important. But things that don't matter, we don't care about the risk.
When we think about that, let's talk about something as simple as data. Imagine data is an asset. Organizations must understand what their assets are, understand what's important, and then execute the appropriate level of risk management for those assets. Otherwise, you'll find yourself spending more money for the control or to manage the risk associated with the asset than what the asset is actually worth.
Hannah: Do you think that assessing an organization's risk once a year, especially in our current work from home and pandemic climate, is enough only they know that?
Jane: In all honesty, it really didn't have to do with the type of assessment. You should think about your risk management portfolio the same way that you think about the technology stack. The same way that you think about tools in a toolbox, right? You don't pull a hammer out to do the job of a screwdriver.
Hannah: I mean, I might, but I’m not very handy.
Jane: Then it begs the question, again, about what I talked about previously, did you exert more effort than you needed to get it to work?
Hannah: Working harder and not smarter.
Jane: You really should have a toolset. In that skill set, when you think about risk assessment, that might be something that you do every year because of the complexity, and the moving parts, etc. But that shouldn't be the only risk assessment that you do.
If I think about what's going to work and what’s going to be successful, is you should have risk assessment tools, processes, practices, for various types of risks for various types of threats and vulnerabilities.
It doesn't have to be one and done. And it should never be one and done. But it doesn't always have to be that huge, overarching assessment every two to three months.
Hannah: Yes, it needs to be proactive. We were talking about security stacks and IT stacks. A robust cybersecurity stack that does its job, aka doesn’t allow cybersecurity risks in, can be very costly. However, we both know that a data breach is often more costly. To me investing in technology now seems like the only choice for any organization. Why do you think so many organizations, but especially in healthcare, are slow to invest in these easier to use or more innovative security solutions?
Jane: That's really a good question.
I have seen everything from they don't know any better to they can't read the writing on the wall. When I think about my financial services background, for organizations it's really, really hard to justify spending capital on things that don't clearly have a defined return that can easily be tracked and measured.
But at the end of the day, for the organizations that know better, but choose not to do better, it's common, they have higher empowerment for it. So they look at it and they say, bird in the hand, one in the bush. My risk tolerance tells me I'm going to keep this bird in my hand. As opposed to worrying about the two that might be in the bush around the corner.
Hannah: I've talked to a couple of my guests before about this. And I think as more millennials join the workforce and become in bigger roles where they're making the shots, it'll be easier to phase out. Because technology is very hard. It's changing all the time. And it might be harder for those maybe baby boomers to, like you said, grasp and understand and really see the writing on the wall.
Jane: Well, I'll tell you, don't discount them. I do think to some extent, we all stand on each other's shoulders. Which is so important, especially for us as women, right? I take some of that knowledge, that foundation, that wisdom and then build upon it.
Because I'm telling you, I want to see this next generation of cyber professionals come in here and knock it out of the park. I do also recognize that even when I think about the work that I've done and what I think I'm able to do in the future, there's a limit to that.
I go out and I talk to young early career professionals all the time and try to entice people into our field and say we need that young brain trust, that natural curiosity.
Hannah: We work in an industry that is very much dominated by men. As a leader in this space, what kind of advice do you have for women in tech or STEM infosec who are entering the workforce?
Jane: Oh my goodness, there are a number of things that I would share with you.
Hannah: What are your top two things? We could probably spend a whole hour talking about this.
Jane: I'm gonna be really candid and I'm gonna say this. Looking over the course of my career, there are days that I came home and said, “Man, the guys really play rough.”
I'm gonna be honest with all of you, especially the ladies that are coming into the field. There are a couple of things. Build the network relationships. You're going to need to have a natural curiosity that makes you willing to learn, but also coachable. It does take a little grace here. And I'll add one more beyond those two because there will be challenges.
Hannah: My motto is that if you're not learning, you're not growing. And then neither is your company. And that's just a disaster for everyone. Part of it is, people think your education has to continue, meaning school. But it's really anything that piques your interest or anything that you can enlighten your brain on. That really applies to that saying. I'm glad that you brought up networking because I read that you believe in the power of your network. I totally agree. You and I are very similar. If you don't know the answer, you find someone who doesn't know the answer. I do the same thing because it helps me make a decision for larger decisions. I can weigh someone else's professional advice against mine. When figuring out new strategies, or exploring new technologies, do you find it essential to reach out to your network and see what they're doing?
Jane: It's that natural curiosity, but it's also what I call our professional obligations to each other. I don't just reach out to people in my industry or even people in my age group. I talk to my wide spectrum of my network, my millennials, even my Gen Z folks, saying that, “give me the cliff notes.
Hannah: Give me the 4-1-1.
Jane: Right, exactly, or what some of them say the TikTok version.
Hannah: Yes. Yes, exactly.
Jane: I think that is very important. We have to be able to do that.
There was one talk that I gave about third-party relationships. Before going to give that talk some of the millennials on my team told me about a new technology they want to use. I took it to that talk with me. I'm using it during the talk. And I talked about how they influenced that decision.
The network is important. This is for the ladies, not just about what's new and what's happening, but getting a pulse on how they're doing in the environment as well. Sometimes you just need that sister girl’s shoulders to sit with.
I listened to some board members talk about diversity, equity and inclusion recently, and one of the things that the male board members say, that that really resonated with me was that you have to have stamina. So the ladies, build that network to help you with your family.
Hannah: Yes, I totally agree. You should pick everyone's brain that you possibly can. There are tons of people that are, I would say are in my network, but maybe aren't necessarily my friends, but they can give me some solid advice, outside of like you said, the women that I am close with, or the people in my age group that I'm close with. Switching gears just a little bit and going back to networking. How do you think organizations that can't have one or can't afford a dedicated risk or compliance officer go about researching solutions?
Jane: There are some really good professional organizations and there are really good opportunities to gather free information.
So for example, I think NCSA pushes content all the time, that's free to everyone. You can go out and gather and leverage for your organization, things like Cyber Security Awareness Month. Leverage those things. Find a freebie.
Hannah: I use [NCSA] resources all the time. I'm always on the website reading resources because it’s literally coming from the word of the horse, or whatever that saying is.
Jane: The horse's mouth.
Hannah: Yes, that's what it is.
Jane: No idea how we came up with the horse's mouth. The other thing is you want to be developing that talent. What you may need to do if you have people who have the ability to do that type of work, you may want to sprinkle some of those requirements into existing positions and job descriptions. Yes, while you continue to develop those because you're going to be that talent.
Hannah: Because I am a millennial, I think it's part of a company's job to continue to educate and push their employees. I think it's a great thing to say, “Hey, we're hiring for this position but you have to learn. You have to take compliance classes or you have to take HIPAA classes or whatever it may be.” It's better for your organization. And it's better for that person as well.
Jane: It's the serendipitous relationship when both the organization and the individual person get the benefit. Mm-hmm.
Hannah: I see this funny meme. I've seen it on LinkedIn, a business meme, of course. And it's like, the CFO says something like, “Well, if we pay for all these education classes, what if they leave?” And then the CEO is like, “What if we don't and they leave anyway?” To me, it's the same with this. You can apply it to anything, You can definitely apply it to cybersecurity. If we aren't proactive, and we pay for these things, it's going to happen anyway. It's inevitable, we're going to be attacked.
Jane: That is so good. What if they don't leave? Right? And then you got this non-knowledgeable body of people that you were challenging to keep up with the changing threat landscape? That's a very powerful picture.
Hannah: Nothing is worse than an unmotivated worker. That's for sure.
Jane: There's a talk where one of the stories that I share with the audience touches on that. That, I think, is a very powerful story.
Hannah: So speaking about all of the things that you have learned in your career, how do you use what you've learned to approach risk management or data privacy in your off-hours life in your personal life?
Jane: My Gen Z and millennials are teaching me you can learn from everyone. What I will say is that I talked about this in my book Risk Management 101. I actually risk assesed my husband before.
Hannah: I would do the same. I'm not kidding you, Jane, I do the same thing with everyone.
Jane: It's a natural part of my fiber. One of the things I'm really proud of is that I like to talk to early career professionals. I like to go out and do volunteering in the mid-range. I will probably retire before we get to where we want to see it.
Hannah: I think we will both probably be retired. And there's a lot I would like to see that I'm not sure is really tangible in the next 50 years or so. But that's okay. So that saying makes sense, “talking from the horse's mouth.” I promise I will never get it right. It's fine. And every time you hear it now you'll chuckle and you'll think about me and it'll be great. Well, Jane, do you have any last-minute words of wisdom for any of our listeners?
Jane: Much of the success that you see in my career has been really a blessing to be able to work with some of the most talented people in the industry. I have led some of the most amazing talents all over the world and on multiple continents. I'm grateful that they were able to see my vision, buy into my vision and sign up to join my team.
Hannah: That's amazing. And then you get to do that for the next generation of women.
Jane: Yeah, that's what we do. We do. So thank you very much, Hannah.
Hannah: To learn more about Jane Harper or resources on HIPAA compliance and cybersecurity in healthcare, please head to paubox.com/blog . Thank you for tuning into another episode of HIPAA Critical; I’m your host, Hannah Trum, signing off.