The original premise around cybersecurity was essentially that the security guys will give me access and that would be it.

Once we had the Hollywood Presbyterian Medical Cen-

ter breach, and some of the other major breaches that have occurred, either [internally] or via some sort of ransomware attack, then cybersecurity was beginning to be spoken about at the board level. The board would ask questions such as, what might happen if something like this happens to us? Those types of questions were being asked by CEOs a few years ago, and that transformed the industry to take cyberse- curity to the forefront.

So now health system executives are asking, how do we

address cybersecurity challenges? That is where we have come in a short span of time. There was always HIPAA and PHI [protected health information], and the thought was that data was locked in data centers, meaning no one would be able to get it. Or, even if the data was available in the cloud, the [hospital’s] vendor will take care of it. That was the his- toric mindset people had. Even the CIOs didn’t believe that security was a big deal since they had business associate agreements (BAAs) signed by the vendor, and had a half or full cybersecurity person in their organization—despite that person doing nothing more that provisioning. Now, that is changing; there’s a big need to have leadership in cybersecurity, to understand all the factors that could be impacting the industry as a whole. There’s a lot of activity around privacy and security with the federal and state envi- ronments as well. People are beginning to recognize that with all the technology out there, we don’t know what’s happen- ing and why it’s happening, so let’s bring the cybersecurity folks onto the forefront and do something about it.

Some estimates predict that the workforce gap will get even wider in the next three to five years. What can be done to reverse this trend?

When I look at the gap, it may widen purely because there is one area in healthcare cybersecurity that hasn’t been addressed: medical device security. At some point, someone will alter infusion pumps by putting in a higher dosage for the patient, and the patient in some way, shape or form will have a bad outcome. That will change the way people behave with medical devices since it touches the patient. That is going to happen at some point in time, and I really hope it doesn’t, but when it does, it will catapult the need for [greater] cybersecu- rity in the industry. However, if you take that medical device scenario out of the picture, has the industry significantly matured? Yes, it has. It has moved from the back-office discussion to now hav- ing a seat on the board to understand how to manage [risk]. We are seeing a bigger need for trained professionals in the industry and that is why you have so many jobs out there. Every other week I get a request for a CISO position that someone is desperately trying to fill. They struggle with try- ing to find leaders who understand enterprise risk manage- ment, and understand how to mitigate, manage, and move forward while changing dynamic healthcare systems. Not many people have that experience, and have been there and done that. That leads to the mismatch of supply and demand.

Do other industries have this challenge with their cybersecurity workforce? Could healthcare learn from other sectors?

Financial services comes to mind; I used to work in this sector. In that industry, they have spent enough money in

cybersecurity to [improve], purely because they were wor- ried about dollars impacting their customers or members. However, the same paradigm is not applicable in healthcare since healthcare has a unique situation where you’re not just looking at money as the [primary] element. Healthcare begins at the time you go to the gym in the morning to the food you eat to the time when you have some sort of care service. And of course you have devices everywhere on top of that.

As co-director of this new Leadership in Health Care Privacy and Security Risk Management cer- tificate program, what role do you envision your- self having as it relates to training and education for the program’s students?

When we put it together, it was more about how to create the next generation of healthcare cybersecurity leaders. There are a lot of security courses that people can take, and can get a CISSP [Certified Information Systems Security Professional] certification, and that will [teach you] about what cryptography is and how to deploy it. But our course explains why you need to deploy cryp- tography and when to use the right cryptographic tools to encrypt data. The “why” and the “how” has been missing; if you want to know what it is and how you implement it, there are plenty of courses from a technical perspective. But when and why you need to implement a particular type of encryption, and how you explain that to folks, is what was missing. That’s why we put this course together. HI

Statement of Ownership, Management & Circulation for HEALTHCARE INNOVATION Magazine

Publication No. 2641-7502

HEALTHCARE INNOVATION published bi-monthly in 2019, qualified request circulation. Complete Mailing Address of Known Office of Publication (Not Printer): Endeavor Healthcare Media II, LLC, 2477 Stickney Point Road, Suite 221-B, Sarasota, FL 34231. Complete Mailing Address of Headquarters or General Business Office of Publisher (Not Printer): Endeavor Business Media, LLC, 331 54th Avenue North, Nashville, TN 37209. Full Names and Complete Mailing Addresses of Publisher, Editor, and Managing Editor: Publisher, Amy Mularski; Editor, Mark Hagland; Managing Editor, Rajiv Leventhal; Endeavor Healthcare Media II, LLC, 331 54th Avenue North, Nashville, TN 37209. Owner (holding 1 percent or more) - Full name and complete mailing address: Endeavor Business Media, LLC (owns 100% of Endeavor Healthcare Media II, LLC), 331 54th Avenue North, Nashville, TN 37209; Endeavor Media Holdings I, LLC, 905 Tower Place, Nashville, TN 37205; Endeavor Media Holdings II, LLC; 905 Tower Place, Nashville, TN 37205; Resolute Capital Partners Fund IV, LP, 20 Burton Hills Blvd, Suite 430, Nashville, TN 37215; RCP Endeavor, Inc., 20 Burton Hills Blvd, Suite 430, Nashville, TN 37215; Northcreek Mezzanine Fund II, LP, A 312 Walnut Street, Suite 2310, Cincinnati, OH 45202; Invergarry Holdings, LP, 4235 Hillsboro Pike, Suite 300, Nashville, TN 37215 (each owns 1 percent or more of Endeavor Business Media, LLC). The known bondholders, mortgages, and other security holders owning or holding 1 percent or more of total amount of bonds, mortgages or other securities: None.

Average # of Copies Each Issue

Extent and Nature of Circulation A. Total No. Copies

B. Paid and/or Requested Circulation 1. Paid/Requested Outside-County 2. Paid In-County Subscriptions Stated

3. Sales Through Dealers and Carriers Street Vendors, Counter Sales and Other Non-USPS Paid Distribution

4. Other Classes Mailed Through the USPS C. Total Paid and/or Requested Circulation

D. Free Distribution by Mail 1. Outside-County 2. In-County

3. Other Classes Mailed Through the USPS 4. Copies Distributed Outside the Mail E. Total Free Distribution F. Total Distribution

G. Copies Not Distributed Total

I. Percent Paid and/or Requested Circulation

During Preceding 12 Months

43,761 37,672


none none

37,672 0

0 0

371 371

38,042 5,719

43,761 99.03%

I certify that the statements made by me above are correct and complete, Amy Mularski, Executive Vice President


Average # of Copies of the Single

Issue Published Nearest to Filing Date

46,410 36,485


none none

36,485 0

0 0

320 320

36,805 5,719

42,524 99.13%

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28