Simplifying Cyber

Cybersecurity as Patient Care with Nick Sturgeon

Aaron Pritz, Cody Rivers Season 2 Episode 13

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 30:18

This week on Simplifying Cyber, Aaron Pritz and Cody Rivers sit down with Nick SturgeonCISO at Community Health Network, Speedway Town Councilor, and current Ph.D. candidate at Purdue University — for a conversation about the challenges of securing systems that no longer stay within four walls. When healthcare happens almost everywhere, how do you keep patients, caregivers, and data secure? 

Nick shares how his IT background landed him a role in law enforcement, he walks through some of the unique challenges cybersecurity practitioners face in healthcare today, then touches on what politics taught him about understanding people's motivations in the workplace

🔗 Connect with Us & Get in Touch

Tune in to Simplifying Cyber wherever you get your podcasts, or watch exclusive video content right here on the channel. Subscribe for hot takes on emerging technologies, tips and tricks for everyone looking to stay secure, and in-depth conversations about complex cybersecurity topics.

No gatekeeping and no BS. We’re here to simplify.

Official Website: www.revealrisk.com

LinkedIn: https://www.linkedin.com/company/reveal-risk

🤘 Stay Secure with Us

If this content helped you understand cybersecurity better, please give it a thumbs up, subscribe to our channel for more expert insights, and hit the notification bell so you don't miss our latest updates.

Reveal Risk delivers cybersecurity results, not just reports.

SPEAKER_01:

Thanks for tuning in to Simplifying Cyber. I'm Aaron Pritz. And I'm Cody Rivers. And today we're here with Nick Sturgeon, who's the Chief Information Security Officer of the Community Health Network based on in Indianapolis, but covering a lot of Indiana. Nick, welcome to the show. Nice to talk to you.

SPEAKER_00:

Yeah, thanks for having me. I'm excited to be here.

SPEAKER_01:

Awesome. And and noting that you are you are hailing from a podcast studio of your own. I think you are a prior or current podcaster yourself. Is that correct?

SPEAKER_00:

Yeah, the the podcast I have is on hiatus while I'm finishing up my PhD. So not a lot of time. And as you guys know, there's a lot of time and effort that goes into doing a podcast that isn't just doing this, it's the pre-game stuff, it's the post editing, and all of that stuff takes time. And being a host of one and all that stuff falls on me. And so don't have the times.

SPEAKER_01:

PhD, fairly new CISO role, and then also town councilman. So maybe let's use that as the segue to get right into the who is Nick Sturgeon conversation. Give us a little bit of your story, maybe starting kind of how did you come up in cyber, and then obviously some of the things that you're into now.

SPEAKER_00:

Yeah, so I've always been in technology. I had my um bachelor's of science in MIS from Indiana State back in 03, got into actually law enforcement early on. Um, moved out west to Las Vegas for about a year, came back, some personal reasons and for having that move back in 2006. Got into law enforcement. I uh was part of the 67th Recruit Academy for the Indiana State Police. Um, actually, it was my IT and tech background that really helped you know kind of separate me out from you know the other 6,000 plus people that applied for the 150 spots that were gun badge and server credentials.

SPEAKER_01:

That was the the topper there.

SPEAKER_00:

Yeah, I I really do think it was the IT piece that that uh pushed me over and kind of you know had that uh differentiation between all the other folks that were you know criminal justice um majors. Um so yeah, I got in the academy in 07, early 07, January 26th, to be exact. I'll never forget that day. Um, in the six months um uh of the academy, which were fun. But I always knew I wanted to be in in, of course, now cybersecurity wasn't really a thing back when I was in um undergrad. It was, you know, you know, cybercrime was a thing, information security. But I always knew I wanted to blend law enforcement and my IT background and was able to to get in and do that early on in my career. I got promoted to sergeant in our IT section. So really got to immerse myself in both the IT side supporting an enterprise network of applications and got into actually supporting the ISP Cybercrimes unit, being their tech support, but also getting digital forensics, cyber forensics training, and that led me to Purdue to get my master's in cyber forensics. And then um, you know, from there the you know, the opportunities um with my career in the private sector opened up. And I actually did a little stint at the Indian Office of Technology, running two statewide cyber programs for a couple of years and then on into the private sector after that. And then, you know, I was at EY for a little bit, got the consulting piece. I was at Pondurance, I managed their security operations center for a little bit, and then you know, prior to here, how I got into healthcare was um worked for IU Health for about a little over four and a half years, and then the opportunity at community opened up, and it's not often here in central Indiana a CISO role in healthcare opens up. So I it's one of those things, it's like if I don't do it now, who knows when it's gonna happen again. And obviously got the job and been at community for just over two years now.

SPEAKER_01:

Love it. So being in healthcare for a while and obviously navigating through change health, which I think opened the eyes further of a lot of health health plans and health uh healthcare organizations on the importance of business continuity and downtime procedures. But kind of what's been your eye opening?

SPEAKER_00:

That happened uh basically two months into me as a new CISO. So imagine coming in as a brand new CISO and here's change healthcare.

SPEAKER_02:

Wow, boom, cross welcome to the team.

SPEAKER_00:

Yeah, here you go. Nothing like you know, you know, trial by fire, right?

SPEAKER_02:

It's like don't don't don't you miss that Nigerian prince from like 15 years ago and just trying to get the his wealth out of the country and he's evolved.

SPEAKER_00:

Yeah, oh, or the going way back, the Mariah love bug, you know, since it is you know day before you know Valentine's. There you go. You know, that yeah, those that's an old school.

SPEAKER_01:

You better you better knock on some wood. AI just heard you and they're gonna spin up the love bug 2026. You don't you don't want that. Knock on some wood there, buddy. Nick's ready, man. Nick's ready.

SPEAKER_00:

Yeah. Awesome.

SPEAKER_01:

Well, I think uh give us a little bit more insights on you know being part of healthcare, human health, maybe what's different from some of your peers and kind of the focus maybe that are in other industries, manufacturing. What what is it about human health that's kept you there for you know six, six plus years? And then maybe what's different based upon the focus or the tactics that you're using versus other industries?

SPEAKER_00:

Yeah, great question. You know, the I, as I mentioned, I bounced a little bit after leaving law enforcement, that public service side of me that you know, we call it you get the bug, or you know, it's in your blood to go into public service. And really, healthcare is probably the closest to that mission of law enforcement, of service and protection. You know, really I the way that I look at it, and I've looked at it since you know I first got into healthcare is if we don't do our jobs and our systems are not secure, lives are at stake. And that's really the that drives me and my mission and that that you know purpose of what I do and I you know to my teams. It's like, you know, if we fail, people could get hurt.

SPEAKER_02:

Makes sense. Well, and I kind of want to talk about this like you know, identity crisis of like modern security. I know you you've had the same thought too, but you often mention, you know, that the perimeter is no longer just the hospital walls, and it's kind of wherever the patient or the employee is. And we mentioned before how OCM or organizational change management is that that bridge that helps people accept this new, you know, more intrusive reality. But um when we, you know, how do you use OCM to change the narrative, you know, from like IT is watching me to we are guarding this mission together?

SPEAKER_00:

Yeah, you know, COVID really just exploded the perimeter of not just healthcare, but all enterprise systems. It isn't just the four walls of the building anymore. It is, you know, you've got your device and everybody's got, or most everybody has their email, corporate email hooked up to their personal devices. You're at home working on personal devices, you got patients that are coming in and out of networks, and especially with, I think the the challenging part with healthcare is we've got medical devices in patients' homes now. Home health has been a huge thing. It's exploded since COVID because of COVID. And so now, you know, there is really no true perimeter. And it is really expanded to every patient's home, every employee's home. And so that makes it challenging to defend the concept of, well, I only have to worry about these four walls, is is no longer. And now, as CESO and security teams, you've got to think about how do we defend against this, and which the tools and the technologies change to be able to do that. Security by the way that we do, we're a friction point for business. It makes things harder.

SPEAKER_02:

Yeah.

SPEAKER_00:

Passwords, multi-factor authentication, all these other things interrupt those business flows that typically I'm just gonna get it done. And nope, I gotta log in and I've got to type a password in or hit a hardware token or whatever the case. But that takes time. Um, and in healthcare, kid you not, and I've said this in in open forums before, is nurses especially will count. Well, if I have to enter two more keys on a, you know, go from eight to ten or ten to fifteen, that is going to be five seconds of additional time. And if I've got to enter in my password every 30 minutes, every hour, it they will calculate the time over a week, over a month, and a year of how disruptive those changes are to patient care. And so if you're in manufacturing or if you're in just a normal business, you know, okay, so what? But when it's actually, you know, if if there's an emergency, somebody comes in the ED or somebody's in ICU, and they that impacts patient care. So when we talk about OCM, it's like we've got to think about how is this going to really impact patients and in the delivery of health care in either the ambulatory or acute settings.

SPEAKER_02:

Yeah. Well, and I think too, kind of like, you know, you mentioned earlier in your famous, you know, ISP or police background, you had a badge and a uniform to kind of signal authority. You know, I think now as a CISO, you don't. So it's how do you exert that influence and drive change across the organization where you can't just give a citation for bad cyber hygiene?

SPEAKER_00:

Yeah, and I think that's even in leadership too. You know, when I when I was a sergeant and I had people, I, you know, chain of command, I'm your boss, you're going to follow my orders. And, you know, in the civilian sector, you don't have the same, yeah, I may be your boss, I could write you up, but now I got to get HR involved and get all these. So that that how you lead is different, how you influence people is different, definitely different. And I think where I have found that has been successful is connecting to patient care. It's like, and say we're we're in the same thing. We want to make sure you're able to provide that patient care safely. And it's no different than you know, you know, every year we've got to do all the infectious disease, you know, trainings and all that. It's no different there. You know, it's just digital versus physical. And so having that conversation and and relating what we're trying to do to what matters to our what we call caregivers or employees, that helps. Now, you know, it's 80-20 rule kind of generally, you know, most people get it. And then you're just going to have that certain population that doesn't want to do it. But okay, we can work through that. But I think really trying to relate what we're doing to the mission of you know our health system, I think is kind of how that that first step of getting folks to get on board and adopt these, you know, whatever new security role or change or or policy that we we try to implement.

SPEAKER_01:

No, that's great. Yeah, and and Nick, for similar reasons, reveal risk. You know, I spent a lot of my career in pharma, but we've heavily aligned to human health, whether that be pharma, life sciences, biopharma, health care, and then also, you know, payer insurance, which has many challenges, not only from a cyber standpoint, but just kind of the, you know, how how patient care is being funded and all of that. So we've been thankful and excited, motivated by um having a huge part of our practice be focused on that. I want to go back to a comment on perimeter, and you were talking about remote work and COVID, and obvious, obviously we've all adjusted from that, but it's still adjusting, I would say there's never done because that perimeter is always changing. Maybe broadening the question a little bit, because we've I've seen kind of the new perimeter shift again with AI. And I'm curious your thoughts, especially within healthcare, as you think about e-health prescribing and telehealth, deep fake, like two questions. One, what are your biggest risk concerns with AI? And then what are you, what are you most excited about within AI and healthcare?

SPEAKER_00:

Yeah, I mean, there's there's so much. And I think we're not even at the tip of the iceberg with the risk of AI healthcare or in the industry in general or in life in general. But really, it's okay, for AI to work, it needs access to the data, given that you know HIPAA and and even other state privacy laws are around the data, the breach of the data. It's okay, how do we put controls and limit and have good governance on the the vast amounts of data and it's stored in a number of different locations? But how do we effectively apply those controls and permissions and and labels and and just so that way that whatever model it may be, that if it doesn't meet these certain policy criteria or you know conditions, then it doesn't get access to the data. Um, you know, we when we were first talking about turning on copilot and community health as a network, we've been pretty headfirst into AI and not shy about using it, but you've got to do it cautiously. And it's like, okay, we've got to get data governance down because you know, copilot, it's got access to Teams and SharePoint email box and all of that. Like if permissions aren't set correctly, yeah, and you know, somebody has set something that's got PHI or PII or financial information to anybody in the network to see, then even if it is a you know, just it's doing what it's doing, it's a tool, and that could potentially cause a breach because somebody, you know, the tool has got access and the data has been exposed to you know one or more individual that it shouldn't have been exposed to that PHI, and we've got a data breach on our hands.

SPEAKER_01:

Yeah. Nick, have you seen a resurgence of decades-old topic of info class data classification? You mentioned data governance.

SPEAKER_00:

Yeah.

SPEAKER_01:

I mean, we're working proclaimed that hey, for your purview instance, you're gonna need data classification to be able to tell us what you want in or out of uh Copilot.

SPEAKER_00:

Yeah, and in utilizing purview as well as Veronis to help with that classification. I mean, it's a machine. I mean, yeah, it's a much smarter tool than maybe what we're used to. But if the metadata says this is PII or PHI, and we've got those rules that say you cannot be accessed under except under these conditions, da-da-da-da. If it's just open, it's not gonna know. It's gonna say, Oh, okay, I'm gonna try to do what I need to do. Oh, here, you know, whatever key terms in the prompt uh you know are you know the user's asking for, I'm gonna go out and do it. So while it's intelligent, it's still a tool, and it isn't, you know, it's just gonna go do what it's been asked to do. And you know, it just could to me that's been my biggest worry, that overexposure of data on steroids. Yeah.

SPEAKER_01:

Before we move on, Nick, what's the thing you're most excited about just to counter the the concerns and the threats?

SPEAKER_00:

So, you know, just the it's not just the admin day-to-day stuff uh efficiencies that you can get with AI. It's you know just the opportunity in the healthcare sector with some moderation and in human intervention of uh just diseases and cancers, potentially finding cures for those things that because of just uh limitations in prior technologies, that we may now have uh the ability to get cures or provide different uh healthcare outcomes because of all of the data coming together and finding those you know correlations or connections that because of uh data sets being disparate, now AI could help bridge those gaps and and find some and just help treatments um uh you know, and better treatments than maybe we've been able to get before AI was being used.

SPEAKER_02:

I want to chat a few things too about like, you know, back to OCM and kind of process type things. But you know, I know some some CISOs will see like process and OCM as a phase two activity or something to do after tech is deployed. I think I think you're a little a little more innovative in like, do you believe that it should be the first step in design of a security program, or where do you see process and OCM fitting in in that kind of phase of rolling out a tool?

SPEAKER_00:

Yeah, and and you know, we were talking about this um off-camera, so to speak, um, beforehand is you know, as you know, my previous role is like, okay, here's the project, you know, implement the technology, get it done. Really, and and no fault to anybody, you know, I come into to Ciso and get my first big project um of security uh implementation, you know, new tool that we're we're putting out there. And the tech part was the easy uh side of things. It was, oh, how are we communicating this? You know, how get the adoption because we really were forcing adoption of of this particular technology. And the the friction point throughout was the OCM, is you know folks thought we were being intrusive, or people didn't want to, you know, give up the information, or you know, didn't want to download the app on their phone, or you know, whatever reason that they came up with. And and again, just from lack of experience, we should I should have put more focus on the change management and the adoption at the beginning of the process, how the effective communication and the why, and you know, really, you know, even getting out to you know the workforce earlier to say, okay, this is you know, how would this affect your job and disrupt those processes? Again, it's it's knowing the business, it's understanding that again, uh nurses and and physicians, other providers, they just want to be able to get to the patient and have that conversation and and the get the treatment plans and all that stuff as effectively and efficiently as possible. But those these security tools, again, like I mentioned earlier, are are disruptive to that, even if it's just a second. And so I think it you know, to really answer your question, it needs to be a part of the the beginning stages of um every project. I I think, and that's one thing I think community does very well. Um, and again, part of me coming into um the organization new to understand that and learn that. And I would and I I and I feel that again, as the role of CISO has changed from being highly technical to really being more of that understanding and of the business, still you gotta understand the tech. That'll never change, but the shift of tech to business acumen is definitely a higher percentage of the business acumen.

SPEAKER_02:

Yeah. Well, I I always think if you had to choose question, you could choose between a$1 million Gartner Magic Quadrant, top right tool with a 0% OCM budget, or a 100k tool, maybe a challenger up and coming with 100% uh org buy-in. Which one keeps you sleeping better at night and why?

SPEAKER_00:

I would say the latter because one of the and actually had this conversation recently here in the last couple days, is people will find ways around the the security controls and tools. And I've said this for years. I I want people to go through the security tools and controls that we have set up because I can monitor for it, I can alert on it and understand it. So even though I've got my own feelings about Gartner, but um I I would rather something that's going to get 100% adoption by the organization, even if it may not be the most tested or the most brand recognized tool, we can make the technology work, get it to work along the way, but at least we are getting the adoption of our workforce.

SPEAKER_01:

Having some FOMO, you you got a great question game going on. So we're going to keep them coming out rapid fire for Nick. You mentioned business knowledge and understanding the organization. Um, and I know you've had some experience with both sides of this, so I bet you have a good opinion or answer. You have a choice between filling a role, let's say it's a GRC leader role or something kind of in the medium tech requirements bunket. Do you hire a practitioner, uh, business person within the organization that has a high motivational fit and desire to learn cyber? Or do you hire the stereotypical infrastructure guy that knows the nuanced depth and you know they're going to be rock solid from a tech standpoint and teach them to? in the business of healthcare.

SPEAKER_00:

Yeah, I I think it depends on the specific role. And I've actually had to make this decision in in in previous roles is what do I want? Again, if it's if from an offensive security perspective, I need a senior pen tester. I want the high-end technical person for that type of role. If it's a GRC or maybe it's kind of mid-level, I may choose the person that's got the fire and wants to learn. And my feeling has always been I can teach people technology, but there's those soft skills and certain things that people either have or don't. And if I need that, I guess if it really came down to it, give me a person who's highly motivated with zero skills, I can mold that person into what I want them to be and I can teach them the technology. But it's it's really hard to somebody may be highly technical but if they're not motivated to learn and get after it, they're not I I would much rather the former.

SPEAKER_01:

Yeah no and and you failed just to ask me for a a C all of the above answer. In the reality real world all of the above is often not available. That's what we call a unicorn. So I from my corporate experience as well I as well has had have had success on motivational fit winning and some really good hires from the business side that actually went on to we've had one of them on our podcast Chris Fr that went on to build a career out of cyber after coming out of you know finance and Six Sigma.

SPEAKER_00:

So yeah it does depend but totally agree with you like motivational fit and desire usually trumps all yeah and and and it's you know it it it I do the the political answer of it depends but I one of the things and I kind of get off on a little side tangent here is you know the and I've experienced this as well coming up in a non-traditional cyber background is well you don't have this certain pedigree and it's like I I you wonder why we're in such a a position of a number a large number of jobs not being open when certain folks not everybody but certain well you've got to have this pedigree well we need new blood it's going to take folks from different areas to to come in and be able to that don't do the the CS or the highly you know you know technical degrees and dah dah dah dah. We need folks that come in from different areas and and begin because I said the job some of the roles are changing especially with GRC or kind of these IT audit type of roles where we need folks that understand like technology know how it it incorporates into the business but they don't have to be highly technical they didn't at least starting out but if again if they're motivated and they want to learn Python or SQL some of the you know whatever give them the opportunity to to upskill all right man I'm going to bring it home with some or some kind of fun questions now.

SPEAKER_02:

You know I want to I want to kick off with one that's a new one so even Aaron doesn't know this question but what is what is one cybersecurity word you wish you could ban from the boardroom to make change management easier.

SPEAKER_01:

That's a heater Cody.

SPEAKER_00:

I know man I'm coming in hot that's actually not so much a a word but maybe just a we're afraid we're afraid CSI effect you know that you know cyber happens like that. Some of these things just don't it takes time and I've seen that in juries and in other aspects where they watch a TV show and be like oh man you can hack a cell phone in two seconds no you can't not really or you can you pull this data in this record you know speed and it's like nah that's not really how it works in the the real world.

SPEAKER_01:

My mine Cody you didn't ask me but I'm going to offer is eyes on glass. And that's probably more of the cyber uh leader saying that versus the business but you know at this day and age like when are we not eyes on glass? And it's kind of a catch-all for like we're gonna do it all it's gonna be fine like we're getting people with eyes on glass also is it glass anymore?

SPEAKER_02:

Are people still rocking CRTs or like the the CRT monitors is it all like eyes on OLED actually invalid so I'm gonna I'm gonna call the next person out that says eyes on glass well cool well Nick also I like to ask like you know obviously you're a seasoned leader in the area you know respected by a lot of people and doing a great job out here in the community in the CISO community but you get you get to get a phone call you give pick up the cell phone you get to call the Nick of 20 years ago and give him a couple sentences or a couple you know blurbs of advice what do you what are you calling yourself and telling yourself 20 years ago with some advice yeah be patient you know things happen when they will when when the times are right you know there's there's things you even career and and trying to make that that move you know you want the right fit you don't just want to rush at the first opportunity.

SPEAKER_00:

So be patient. You know I think that I struggle with that all the time but to go back and say things will work out the way that's supposed to there's lessons to be learned um you know in the situations that you're in and and just absorb everything.

SPEAKER_01:

Awesome. Nick I mentioned at the beginning as we were talking about well my reflection of how do you get it all done with uh councilman, PhD, CISO, and probably kids and all your other hobbies that you probably have but what have you learned without getting into politics and all that like what have you learned by being in politics and you know being a councilman within your your township and how how that translates to politics that are in the workplace or specific departments and so on and so forth.

SPEAKER_00:

Yeah we'll we'll stay away from the the yeah the big P politics and all that stuff but really it's about dealing with people understanding people's motivations again how do we get people to do things that we want to do without that threat of authority you know that you know the badge and the gun if you will Cody you brought up earlier but it's interacting with people really paying attention to understanding their motivations their wants what drives them to to do things and really utilize that you know on on the council side and and the big P politics to bring it in and same things they're just it's politics of different flavors and and you know so it's just it's so there is some crossover there.

SPEAKER_01:

So understanding and you know having to deal with getting yelled at as a council person because folks don't feel like you did something right you know as a policy decision or you come in on the CISO side well why did you change this you know security policy and getting yelled at there so it's just a little bit of similarities but it's well I can imagine you you were mentioning with the the weather being negative 10 and water mains breaking and like across the state and you got to deal with with complaints probably same thing like are you blocking cloud copilot with full open access to everything on your PC in the network probably some similar conversations to say like hey here we're trying to help here's what's reasonable.

SPEAKER_00:

Yeah very much so there are a lot of similarities there.

SPEAKER_02:

Um oh it's you know this security upgrade broke this and you know the business is screaming or how dare you how dare you do this I did I did one tour on my uh I thousand change the world and enjoy my my HOA for a brief two seasons and realized that it's not how you change the world so I yeah resigned immediately. Anyway well Nick thank you again for the time today we really appreciate it it's been great hearing from you um I'm sure listeners will enjoy it as well too but Aaron I'll let it let you wrap us up.

SPEAKER_01:

No no I think you already have Cody and Nick really appreciate talking to you as always thanks for all your passion on human health healthcare general public service as always and and keep fighting the good fight and uh and uh we'll all win and and say save the world one one person at a time together.

SPEAKER_00:

Awesome thanks for having me on guys.

SPEAKER_01:

Awesome thanks everyone

Head Shot

Aaron Pritz

Host
Head Shot

Cody Rivers

Co-host