Closing the Cyber Gap Without Hiring a Full Time CISO

Phil Sobol:

Welcome to the CereCore podcast, where we focus on the intersection of healthcare and IT. From practical conversations to strategic thought leadership, let's unpack the decisions, challenges, and journey of those whose purpose it is to deliver technology that improves healthcare in their communities.

Today, we welcome Chris Riha to the CereCore podcast. Chris is a senior cybersecurity advisor at CereCore, where he leads our cybersecurity advisory organization. What makes Chris's perspective especially valuable is his operator background. He spent more than a decade inside a large health system, Carilion Clinic, leading clinical systems, engineering and technology services, managing teams, medical devices, and the realities of day-to-day hospital operations. Chris also brings experience from the federal and defense side, including work with MITRE and the US Army Medical Department, giving him a unique lens on risk, resilience, and security at scale.

Today's conversation focuses on a challenge many rural hospitals face, how do you close growing cybersecurity gaps without hiring a massive team or blowing up the budget? We'll talk about why the rural cyber talent gap is widening, what the fractional CISO model really looks like in practice, and how CereCore's operator experience and ability to expand capacity helps smaller hospitals protect themselves, keep the lights on, and even innovate.

Chris, welcome to the CereCore podcast.

Chris Riha:

Thanks for the introduction, Phil. Great to be here.

Phil Sobol:

Excellent. Well, you've got a unique background, starting in clinical engineering and biomedical. How does coming from the world of medical devices change your view on cybersecurity, perhaps compared to the traditional IT path?

Chris Riha:

That's a great question. The medical devices have always been a bit of an enigma for folks in cybersecurity, particularly the IT folks that didn't have a lot of experience working with them. My background, as you mentioned, I've worked for a large independent healthcare delivery organization, Carilion Clinic. Prior to that, I was a contractor doing clinical engineering work with the Army Department of Defense. One of the things that came to light there is the DOD is a very secure environment. And when you're putting new medical devices into a hospital there, it's the same as putting a new server or computer. It has to go through all their cybersecurity challenges and rigor that they have. This was prior to that being the case in the civilian sector. And then when I transferred to the civilian sector, it was actually a good fit because that was at a time when there was a lot of cyber threats that were just starting to emerge. So it's a great question.

Phil Sobol:

Well, you had mentioned your time at Carilion Clinic. Before moving into advisory, what was maybe the moment where you decided, "I'm going to switch from that operator side to the advisory side of things"?

Chris Riha:

I have what I call itchy feet. I had been with Carilion for 14 years, and I just thought it'd be interesting to get into back into the consulting world where you can actually, I think, make more of an impact than just on one organization. So I transitioned to the consulting world where I worked for MITRE, which is they actually have the gold standard for cybersecurity. They're a federal government contractor. Worked on some interesting projects during the COVID period. Then when that ended, it was time to look around again and the opportunity at a major medical device manufacturer came up. So I got to see that side of the coin. Then as I mentioned before, I have itchy feet. After doing that for a while, I took a bit of a sabbatical and then came to work for CereCore where I can really follow my passion, which is helping rural hospitals and under-resourced hospitals address the cybersecurity challenges that they're facing.

Phil Sobol:

Oh, that's excellent, Chris. You mentioned rural healthcare, and so we'll talk a little bit about that. I mean, we often see, especially with rural, that there's quite a divide between the haves and the have-nots. In your experience, what do you think is maybe the single biggest disadvantage that rural hospitals often face when it comes to cybersecurity right now?

Chris Riha:

The rural hospitals are very resource-constrained, not just with cybersecurity, but really with everything they do. And that is a disadvantage, but I give those folks credit because they become very creative in the way that they address those challenges. They wear a lot of different hats. And a rural facility, particularly the critical access hospitals, it's a part of that community, just like a church or something else. It's not just a hospital. It's really embedded in that community. And the folks have a lot of pride in those hospitals with one of the reasons being that no matter who the patients are, they're probably a friend or a relative of the employees that are working there. So there's a lot of pride and very creative ways to address the resource challenges.

Phil Sobol:

Oh, no, I love the fact that you use the word pride because I see that day in and day out when I talk to these hospital leaders that are in those rural markets. And they do. They take pride in the fact that they're there to serve their community and that it's a very personal mission for them.

We often hear some rural health leaders, particularly when it comes to cybersecurity that say, "Well, we're probably too small to be a target." Not sure that's necessarily the case. So do you have a story or perhaps a metric that you can point to bring to light that's probably not the best way of looking at things for these individuals when they're looking at cybersecurity threats?

Chris Riha:

That is true. Actually, no organization or not even any individual is too small to be overlooked. As we're aware, individuals could be victims of this and it can cost them dearly as well. So no matter what business you're in, none can be too small. As a matter of fact, the small ones can often be targeted because of the limit resources and capacity they have.

We've worked with one client, critical access hospital in a very rural area out west that was the victim of a cyber incident about a year ago. It was very eye-opening experience for them. They luckily were able to get through it because they had done some really good backups and were able to pull together and get everything back online, but they were still offline for a couple of days, which is huge for those small communities because if you're offline, then the folks in the community, if they want to get treatment, they could have to drive 30, 40 or 50 miles, sometimes over mountainous terrain and tough geographic areas.

Phil Sobol:

No, it's a very valid point. I think just because the impact might be a little bit smaller or the ransom might be a little bit smaller that you can ask, sometimes it's these bad actors see it as an easier avenue or a way into something larger. So it is one of those things that I think everybody's got to be paying attention to.

As we look at these rural hospitals, do you have any advice for those organizations as they start assessing maybe the current state of their organization as it relates to the skillsets of their internal team, as they look at their devices from, you'd mentioned from your background, med devices and just the applications in their portfolio?

Chris Riha:

Really, it's the same advice I give any organization, is take a look at what you have. It's imperative to maintain an accurate inventory and also stay abreast of the current trends. Network, network, network, whether through professional organizations or through your colleagues. There's a number of different organizations that are available, particularly for cybersecurity, through the federal government, and also the rural health organizations have resources for that. However, it really does come down to having technical expertise and knowledge that is onsite and to be proactive with that. That's where the services that CereCore provides can help where we're able to provide expertise that the small facilities would not necessarily have or be able to afford, nor would they need full-time. That's where we bring value to our clients.

Phil Sobol:

Yeah, I think that's a good call out as it relates to full-time versus fractional capabilities. So maybe that gives us a good segment to talk a little bit about what we teased at the top of the podcast, which was most organizations that are of a certain size just don't have a full true dedicated CISO, and whether that's from a budgetary standpoint or perhaps even a lack of being able to find someone from a local talent perspective. So maybe if you would dive into a little bit about how having that fractional CISO support would work to help build that gap and that need. And then, really, in the context of that, how does that fractional CISO come in and work with the organization, building trust with the other internal IT and the other leadership inside of the organization?

Chris Riha:

As I mentioned earlier, the rural hospitals are very creative and they're very resource-constrained. They wear a lot of different hats in those organizations. I was on a call last week with one of the clients who were working at the critical access hospital and the compliance manager is now in charge of the HIM department. So they're spread really thin. The fractional expertise that can be brought to the table for them is something that can provide a lot of high level technological assistance and guidance without having to maintain a full-time FTE for that, because in those small hospitals, a full-time FTE isn't warranted.

The other expertise we bring, it's the whole army of resources we have at CereCore. It's not just a one person, a Chris Riha, but we have a whole array of different talent we can bring on a fractional basis if need be, whether it's for doing tabletop exercises or any type of technological remediations that we can do. There's a whole talent pool at CereCore we can dive into.

Phil Sobol:

Well, I think you mentioned something I always find it inspiring, but at the same time, it's challenging for these rural health systems and hospitals is that you do have people that are wearing so many different hats and they do the best they can, but ultimately, you can't be an expert in all of those different areas. And so I think that's where even some of the justification really resides when it comes to bringing in external talent, because it's one of those things where, yes, you can maybe keep the lights on with one person spread across multiple disciplines, but are you really going to close all the gaps? Are you really going to accelerate and take advantage of what needs to be taken advantage of? And I think that's where another one of those values that we really want to talk about.

Well, we talked a little bit just about some of the gaps there. Another one of the huge gaps is just funding, right? When you talk about the haves and the have-nots, and I know that's always a challenge for a lot of rural hospitals. We've done a lot of research. I know you're on the team that's working on it as well, just in and around the rural health transformation program funding and some of the other funding mechanisms that rural health can tap into from both a state and a federal government standpoint. So maybe talk just a little bit about how rural health should be looking at those sources in the context of their cybersecurity posture.

Chris Riha:

It's interesting because if you go back about three or four years post-pandemic, one of the biggest challenges the rural healthcare organizations would be facing if you'd asked the CEOs is, "Geez, we're concerned about all the cybersecurity stuff going on." Now we're concerned about the change in the funding, that we're worried about keeping our lights on, but the cybersecurity hasn't gone away. It's actually gotten a little bit more complex for them.

So what we're trying to do is when we go into an organization, we can do an assessment and say, "These are the things we think would benefit you from a cybersecurity perspective. And oh, by the way, here's some avenues to get those funded." So we don't want to just go in and say, "Here's the things you need to do." We want to say, "Here's some things that we think can help you and here's the way to fund it."

As you mentioned at CereCore, we've got a dedicated team looking at how hospitals can actually work with the grant program, the Rural Health Transformation Program. Each state is managing it on their own. Again, these rural hospitals may not have the expertise to be able to dig through all that federal government bureaucracy. In addition to that, we're also working on a different grant program. It's called the ARPA-H, which was specifically set up in 2022 to help healthcare organizations. So we're looking at potentially getting a grant for that where we could help organizations do tabletop exercises in a very expedient and efficient manner. I'm working with one of the clients we have on a USAC, which is a telecommunications funding grant, helping them walk through that process. So there's a lot of tools that we can bring to the table to help work with them to identify funding to meet some of their needs.

Phil Sobol:

Well, and I think part of that process is just coming in and partnering and understanding that even with certain funding mechanisms, there's still limited budgets. And so sometimes things can't get done year one, and it takes a multi-year process to get from where an organization is today to where they need to be. I think it's that coming alongside, helping them build out that plan is what really makes a big difference. So that's great.

One of the things that you had mentioned earlier was tabletop exercises. So I'd be curious to get your take on just how you see those being helpful for organizations that do have limited budgets on cybersecurity.

Chris Riha:

Well, tabletop exercises, just so everyone's familiar with them, it's a way of testing all the policies and procedures that you have in place in a safe environment. What we've done with a number of organizations, and we'll go in and say, "Okay, this is the particular scenario. You've been hit with a ransomware attack. What are you going to do?" And then we walk them through the process. What we're looking at doing is doing that in a much more efficient way so that organizations wouldn't have to bring in these outside consultants to do it. They could do it on a more frequent basis because it identifies not only the gaps you may have in your technology policies and procedures, but also, just as importantly, it gets that muscle memory of those teams that, "Hey, we've done this in a drill. We can do this in a real time scenario." So it's really a win-win.

A lot of auditors look for that too. As a matter of fact, it's actually required in the NIST cybersecurity framework is to test your policies and procedures and the tabletop exercises is about the best way to do that.

Phil Sobol:

Oh, that's excellent. Well, I appreciate you diving into that for our audience.

We've been talking about rural hospitals and just smaller hospitals in general. As you engage with these organizations, how do you help them really bridge the gap between just keeping the lights on operationally or on the other side of things, locking down the door from a security standpoint? What's the process?

Chris Riha:

One of the things we do, the first thing we do is we go in and listen to them. We find out what they think their needs are and then take a look at what they've already put together, and then we lend our expertise to that. The other thing that we bring to the table is... As I mentioned before, these folks are very creative. Some of these hospitals come up with really good solutions that we'll say, "Hey, we hadn't thought about that." So we're able to put that into our repertoire when we go to other organizations. Basically, it's a knowledge sharing that we bring to the table.

Phil Sobol:

Yeah. Well, and I think that knowledge sharing is great. There's a good number of associations, but at the same point, I think we're able to come in and say, "Hey, here's what we've done for this organization, this organization and this organization," and bring that expertise and be able to then help them apply it to their particular situation, which I think is great.

Chris Riha:

One of the things that a lot of these smaller organizations have is they may be doing things, but they're not documenting the policies and processes, so that knowledge resides with one person. And when that person leaves, there's a bit of a drought. Plus, it's also, there's recommendations that you have to have certain policies and procedures. We have a whole library of those where it's certainly not plug and play, but we can certainly create them in a much more efficient manner than if they were starting from scratch.

Phil Sobol:

Yeah. Well, and sometimes it's such a daunting proposition, that having something that you can start from and someone to help guide you through it makes a world of difference. And then certainly makes the board puts them a little bit more at ease that there's a plan and a strategy and a governance in place and around that.

Chris Riha:

You bring up a good point too with the boards because we're able to brief the boards at these organizations and they say, okay, they've actually brought in some outside expertise and it eases their angst.

Phil Sobol:

Yep. Agreed. Agreed. Well, Chris, this has been a good conversation. I appreciate the insights. As we wrap up here, maybe I'll leave you with just one more question. For the rural hospital CEO that's out there listening right now, what should they do tomorrow morning to start closing the cyber gaps that they have without having to go and hire a full dedicated cybersecurity team?

Chris Riha:

That's a very thought-provoking question, and I'm going to basically expand on a little. It's not just the rural hospitals. It could be the resource-constrained ones that are in urban areas as well, the city hospitals that are woefully underfunded and woefully overtaxed. But the most important thing for the CEOs to do is stay engaged, make sure that they have plans and processes in place in the event they are hit with the cyber attack. And as we mentioned when we do the tabletop exercises, it's not if you're going to be hit, it's when you're going to be hit with a cyber incident. If you're well-prepared, it's going to be a minor incident. If not, it's one that's going to be very painful and it will hurt your community.

Phil Sobol:

Yeah. Well, and I think that's the biggest thing to take away from it, is that there is an impact to the community, not just to the hospital, not just to the providers, not just to the nursing staff, but truly to the community. You're spot on with the fact that it's not if, it's when. And it's all about what do we do and to be prepared for it and have a plan, execute on that plan. This is where the tabletop exercises come into play so that everyone across the organization knows what they're going to do, how they're going to do it. Nothing comes as a surprise. Yes, is it an inconvenience? Is it a challenge? Absolutely. But if you're following a playbook that you've rehearsed, that you've exercised, not only is the organization going to be in better order, but the ability to serve the community will be as well.

Chris Riha:

Well said.

Phil Sobol:

I thought you... It's great advice. Great advice. Well, Chris, thank you. Appreciate you being on the CereCore podcast and just thank you for all the work that you do for our clients. I know it's a very rewarding role, and at the same point, I know it's also one that's very, very appreciated.

Chris Riha:

Thank you, Phil. And just one last anecdote. The one organization I mentioned we've worked with that got hit with a cyber incident, they had an IT staff of one, and this poor guy ended up working three days straight. And to show you the resiliency of these hospitals, the healthcare workers there are actually babysitting his child during that, but those are the things that we want to prevent.

Phil Sobol:

Well, exactly. Rural is truly community, right? And everyone steps up, everyone goes in. If we can help in any way to mitigate that, possibly prevent it from happening, but certainly mitigate how they have to scramble to respond and put them on the right path, it makes a big difference. So great.

Well, Chris, thank you so much. Appreciate you.

Chris Riha:

Thank you, Phil.

Phil Sobol:

Thanks for listening to the CereCore podcast. We hope you enjoyed this conversation. Follow us on your favorite podcast platform for more episodes. Connect with us on LinkedIn. Visit our US website at cerecore.net, and for those abroad, visit cerecoreinternational.net. Learn more about our services and find resources. At CereCore, we are healthcare operators at heart and know the difference that the right IT partner can make in delivering quality patient care 24/7. Let's help make IT better. Here's to the journey