A Whole of Nation Approach to Cybercrime: Secure by Design, Secure by Default

00;00;00;26 - 00;00;39;15
Tom Haederle
The vast apparatus of America's government - so many different branches and agencies and departments - knows how to come together in times of crisis. We saw it in wartime. We saw it during the pandemic. It's often called a "whole of government" approach to dealing with a threat or emergency. Today, many experts believe that we need another whole of government approach, and even more, to face down the ever-growing threat of cybercrime.

00;00;39;17 - 00;01;18;00
Tom Haederle
Welcome to Advancing Health, a podcast from the American Hospital Association. I'm Tom Haederle with AHA Communications. The federal government and the private sector may be apples and oranges in many ways, but they face a common danger from ever escalating cyber attacks that continually test our readiness and capabilities. In truth, the entire nation is at risk. In this podcast, John Riggi, National Advisor for Cybersecurity and Risk with the AHA, talks with two experts from both the federal government and private sector health care who agree that what's really needed right now is a "whole of nation" approach to handling today's cyber risks.

00;01;18;03 - 00;01;24;17
Tom Haederle
What does that look like? What does it mean? Let's join John and his guests to explore those questions.

00;01;24;20 - 00;02;03;20
John Riggi
Thanks, Tom, and thanks to everyone listening. Today we'll be discussing two concepts which are vital to increasing the nation's readiness and capability to defend against the ever increasing high impact cyber threats, threats which are equally faced by the federal government and the private sector, threats we face as a nation. It has become crystal clear that what is needed is the federal government and the private sector to work together to deliver secure technology to consumers, proactively share cyber threat information, and engage in operational collaboration for effect against the bad guys.

00;02;03;22 - 00;02;33;28
John Riggi
Here with me today are two friends and colleagues who are the nationally recognized and highly accomplished leaders. One from the federal government and one from health care to discuss these concepts from their unique perspectives. First with me today is Nitin Natarajan, deputy director of the Cybersecurity and Infrastructure Security Agency known as CISA. Prior to joining CISA, Nitin Natarajan served in a variety of public and private sector positions spanning over 30 years.

00;02;34;00 - 00;03;00;21
John Riggi
Nitin also held a number of federal government roles to include: as a director of critical infrastructure policy at the White House and National Security Council. Nitin is very close to health care as he served as a director at the U.S. and Health and Human Services and also served as a hospital administrator. Nitin also served as a first responder serving part of that time as a flight paramedic in New York.

00;03;00;23 - 00;03;31;14
John Riggi
Also very pleased and privileged to have with me my friend and colleague Brian Gragnolati who was president and CEO of Atlantic Health System, a multi-billion dollar health system in New Jersey with 18,000 employees covering over five million lives. He was also former chairman of the board of trustees of the American Hospital Association. Brian is a frequent speaker at events such as the Aspen Ideas and regularly appears on national media to provide his expert opinion on health care issues of the day.

00;03;31;16 - 00;04;01;21
John Riggi
Brian has served in a variety of hospital and health system roles for the past 40 years, including as a senior vice president at Johns Hopkins. Gentlemen, thank you for being here with us today. Nitin, let me start with you. We often hear the phrase whole of government to describe a multi-agency approach to a particular problem. Historically, this approach was used in the basis for the federal government's strategy in the fight against drugs, counterterrorism and even the pandemic.

00;04;01;23 - 00;04;27;29
John Riggi
It is clear we need all government agencies involved in a whole of government approach to combat the global cybersecurity threats that U.S. hospitals and health systems in all of us in critical infrastructure are supposed to. When we say that cyber is different from the above threats and what we truly need is a whole of nation approach for us to effectively confront the complex and rapidly evolving global cyber security threats we face.

00;04;28;05 - 00;04;34;21
John Riggi
What does that mean to you, in CISA, in terms of public and private cooperation?

00;04;34;23 - 00;04;57;10
Nitin Natarajan
John, great to be here with you and thanks for the opportunity to talk about, I think, two topics that I love talking about, which is cybersecurity and specifically health care. I fully agree. I think, you know, this is an organization that is built on partnerships, and partnerships are core to what we do. And I couldn't agree more with the need for a whole of nation approach and arguably a whole of global approach, as we know, as folks in cybersecurity, borders mean a lot less.

00;04;57;10 - 00;05;24;26
Nitin Natarajan
And so we need to work closely with our partners in the public and the private sector. You know, CISA has a long standing history of working with the state, local, tribal, territorial governments, the private sector, as the foundation of what we do. And it's actually built into the way we receive input, the way we create our documents, the way that we conduct our meetings, to be able to make sure that we have individuals from those respective areas speaking to the challenges that they're facing and working together to come up with solutions that we can all implement.

00;05;24;27 - 00;05;56;06
Nitin Natarajan
This is not a federal government solution. This is truly a bi-directional effort so that we can understand from each other. We can learn from one another and we can tackle these issues together. In fact, when you look at how those sectors are set up, which again, our foundation for what we do here in SSA, each of the 16 critical infrastructure sectors of which health care and public health is one has both a government or council comprised of federal government, state, local, tribal, territorial government, and a sector for a council that's actually independently organized and led by the private sector.

00;05;56;08 - 00;06;19;05
Nitin Natarajan
And those two entities together are work to solve what are really immense challenges impacting each of those sectors that we can bring to bear not just a federal government solution, but a sector solution that builds upon what industry has been doing, is doing and can do, combined with what services and support the federal government can provide. We know this is not a federal government solution.

00;06;19;07 - 00;06;47;23
Nitin Natarajan
This is not a private sector solution. This is a joint solution that we need to tackle together. And our entire partnership construct that we utilize is based upon that need and then being able to work across sectors to again identify challenges, identify interdependencies, and work together to increase our overall resilience as a nation to ensure that those health care and public health efforts can continue as we face both physical and cybersecurity threats across our nation on a daily basis.

00;06;47;26 - 00;07;09;10
John Riggi
Yeah, thanks for that. Absolutely correct. In the fact that it truly does require that leveraging of the expertise across federal government and private sector, because the reality is there is far more people in the private sector working cybersecurity, far more expertise and experience. And again, opening up those channel bi-directional - I love that phrase,  bi-directional channels of communication.

00;07;09;10 - 00;07;24;18
John Riggi
So, so very important. Brian, from your position as CEO, could you provide your perspective on how you define a whole of nation approach to cybersecurity? And how do you and Atlantic Health System exchange cyberthreat information with the federal government?

00;07;24;20 - 00;07;49;27
Brian Gragnolati
Sure. Before I do that though, I just want to put cyber in the context of what we do as health care organizations. You know, clearly our top priority in health care organizations is really accessible health care that is safe and meets the needs of our communities. A cyberattack on a health system impacts our ability to care for patients.

00;07;50;00 - 00;08;33;17
Brian Gragnolati
Because of that, we need to do everything we can to prevent a cyberattack. And if attacked, we need to respond quickly. So one of the most important things that we need is knowledge and an early warning mechanism. That's really why this whole of nation approach is so important. So the ability to connect into the FBI or CISA and know that their work is coordinated is essential because we need to get those early warning signals and we need to understand that resources are available to help us and those government resources are supplemented also in the private sector.

00;08;33;19 - 00;09;04;14
Brian Gragnolati
I think in the health care industry, we've shied away from engaging with the federal government early on. And I think it's very important that that change because the information that we provide will not only help ourselves in a very bad situation or staying out of a bad situation, but it will also provide information to others to again, build their defenses because we're getting attacked millions and millions of times a day.

00;09;04;16 - 00;09;18;01
Brian Gragnolati
And again, this is a crime against humans. This is not a financial crime. And we need to do everything we can to protect our patients, protect our caregivers, and make sure we're there when those communities need us.

00;09;18;03 - 00;09;42;05
John Riggi
Totally agreed, Brian. And again, your insight into the fact that these threats, which are targeted against health systems, not only impact the privacy and security of data, which is important, but that's secondary to the threat it poses to patient care and patient safety. We've seen time and again the delay and disruption to health care delivery caused by high impact ransomware attacks.

00;09;42;08 - 00;10;03;25
John Riggi
Absolutely do represent a threat to life, a threat to humans. So, Brian, I know you've emerged as a leader on this issue in cooperation with the federal government, but have you thought about or have others cautioned you on there, or is there a potential civil or regulatory risk for getting involved in this robust cooperation with the government? And what about during a breach?

00;10;03;25 - 00;10;09;14
John Riggi
What is your advice to your fellow health care CEOs?

00;10;09;16 - 00;10;43;16
Brian Gragnolati
So health care is full of risks. And every day we trade off on those risks and a myriad of things that that we're engaged in, in this very complicated business that we're in. But I'll go back to what our core responsibility is, which is access and safe care. And so as I think about that, we've got to get as much information as we can, and we've got to have those partnerships, those early warning devices in order to best temper ourselves and protect ourselves because our attack surface is huge.

00;10;43;19 - 00;11;06;29
Brian Gragnolati
You know, we've got a little over 19,000 employees right now, and that's our attack surface. Right? It's very huge. So whatever we can find out and how we create those partnerships, I'll defend that any day of the week. As it relates to a cyber attack, again, when an attack occurs, it can shut down the normal processes of patient care.

00;11;07;06 - 00;11;26;19
Brian Gragnolati
And as Nitin knows, having been a flight paramedic and we share the EMT part of that, not the flight part, the criticality of that is enormous. If we're going to be reaching out to the government for assistance and knowledge, I'll take that bet every day against losing a life of a human.

00;11;26;22 - 00;11;57;12
John Riggi
Appreciate that, Brian. And clearly, you know, that is leadership in action. Leadership requires action, obviously, and entails risk. And your altruistic vision of why we're doing this, all of us in this business ultimately are to protect lives, to care for folks. This is a shared mission between certainly health care and certainly with the federal government. Nitin, this year, the White House released the National Cybersecurity Strategy in March in the National Cybersecurity Implementation Plan this month.

00;11;57;14 - 00;12;21;27
John Riggi
As you are well aware, since you and CISA contributed greatly to the development, the strategy and plan pillar one of the plan includes: the objective to scale public and private partnerships to drive development and adoption of secure by design and secure by default technology. Could you explain to us what that means and could you provide us with any examples?

00;12;22;00 - 00;12;43;06
Nitin Natarajan
Secure by design, secure by default is a huge focus of ours this year. And when I say ours, it's not just about CISA frankly, it's about this entire cybersecurity ecosystem. And as we've had engagements with the private sector, they've really welcomed in. The feedback has been very positive. And how do we look at secure by design, secure by default in all that we do on a day to day basis.

00;12;43;09 - 00;13;10;06
Nitin Natarajan
So what does it mean when we talk about secure by design? What we're asking is that what we buy, what is made, what is developed in hardware and software is made in a way that looks at cyber security and those efforts upfront and throughout the lifecycle of that development, that it's not something that's thought about at the end or something that's thrown in after the fact or something that's disregarded, but something that is thought of through that entire developmental lifecycle and making sure that we are insisting on that.

00;13;10;12 - 00;13;32;00
Nitin Natarajan
As part of that, we're also looking at making sure people are using things like memory, safe languages and other types of technical tools that we're able to ensure security in the design of that hardware and software. When we talk about secure by default, what we're saying is that we should have security built in as part of what we're buying, that it's not something we're paying extra for an additional package,

00;13;32;02 - 00;13;50;13
Nitin Natarajan
it's not something that we have to enable, right? When we buy something, we should feel comfortable that there is a high level of security built into that. And so when you think about example, if you think about things like default passwords, right, that are set for everything that frankly, if you don't go in and actively change, you're leaving a potential vulnerability open for an adversary.

00;13;50;20 - 00;14;10;10
Nitin Natarajan
So how do we make sure that we're doing this? I think there's a number of things that we're looking at. And how do we transfer some of that risk from right now that resides with the end user that arguably often they may not even know that they're accepting back to those that are actually developing the hardware and software? And so we're really looking at the shift in how we look at security and what we do.

00;14;10;12 - 00;14;36;17
Nitin Natarajan
So how do we drive some of that and we drive some of that through what we're buying. And so how do we encourage organizations, public and private? We're looking at this within the federal government as well, to know what we're actually purchasing and to really look at building that cybersecurity question and efforts into our acquisition cycle. I've worked in state and local government, I've worked in the private sector, I've worked in the federal government, and often looking at security is not a lens that we use in our acquisition process.

00;14;36;19 - 00;15;02;12
Nitin Natarajan
And so we want to encourage folks to do that. If you're buying a new EMR, you're buying a new piece of hardware, you're buying something within your facility, then you're building in that understanding of the security risks with that hardware or software into it. And how do we encourage manufacturers to be producing more secure software and hardware? And then how does the end user build that into their decision making and then essentially driving the industry in a way to do more of that?

00;15;02;12 - 00;15;18;23
Nitin Natarajan
Because that's what we're going to be looking at from an acquisition perspective, hopefully using that to drive decision making and industry. To me, it's something we apply to our personal lives as well. If I'm looking for a new bank, do I choose a bank that uses multifactor authentication or a bank that does it right to protect my information.

00;15;18;25 - 00;15;39;28
Nitin Natarajan
So being able to make that shift is something that's going to take time. It's going to take collaboration with industry. But our initial feedback that we've received has been extremely positive and we're really excited to work with industry and adapt as we take us forward. This is not the government forcing X or Y. It really is something that we want to work collaboratively with industry, with the private sector, to move these efforts forward.

00;15;39;28 - 00;16;02;13
Nitin Natarajan
I mean, I think the beauty of CISA as an agency is that we're not the intelligence community, we're not law enforcement, we're not the military. We truly are an agency that wants to help. We want to work collaboratively with our partners, the private sector and state, local and tribal territorial government to identify challenging problems. We're working together to come up with solutions that we can jointly implement and deploy, because, again, it has to be a group effort.

00;16;02;16 - 00;16;07;10
Nitin Natarajan
We're looking forward to continuing to make progress on this collaboratively in the days and months and weeks to come.

00;16;07;12 - 00;16;37;01
John Riggi
Yeah, thank you for that Nitin and for our listeners, that's not just Nitin Natarajan's opinion. Government has moved specifically and incorporated that philosophy into the White House's strategy. The title of Pillar Three of the strategy and implementation plan is Shape Market Forces to Drive Security and Resilience, including the objective to shift liability for insecure software and products and services away from the end users and back to the developers of that technology.

00;16;37;03 - 00;17;15;23
John Riggi
We as organizational individual consumers have become accustomed to receiving technology which is insecure by default, insecure by default. As we have to update that new computer or download that software. So I think this is a tremendous initiative to really shift that paradigm. Brian, from your perspective as the CEO of a large health system heavily engaged in cybersecurity and the widespread use of technology to improve business and clinical efficiencies, improve patient outcomes and save lives, what are your thoughts on this concept of secure by design and secure by default when it comes to technology?

00;17;15;25 - 00;17;41;22
Brian Gragnolati
Know I'm a little embarrassed to say that until I started getting more involved in these conversations, I accepted it. I accepted imperfection and having to do all that Nitin described and you just described. So my comment is, well, why not? You know, why are we not being better consumers here? You know, we don't purchase things where there's known imperfections in drugs.

00;17;41;24 - 00;18;04;09
Brian Gragnolati
We don't purchase things where there's known imperfections in devices. And we certainly don't expect to fix or patch something before we implanted into a patient. So why is it that this software and other technologies like that it's it's okay to accept this and it's one of those things where we have to just say as a purchaser, we're not going to do that.

00;18;04;14 - 00;18;27;00
Brian Gragnolati
So how do we make that happen? And so as a CEO of a company, I've really begun a pretty large discussion in our organization about how we purchase things and how we look at this, because oftentimes we're racing for functionality to help a particular problem that we have or racing for integration, and we leave security on the side.

00;18;27;00 - 00;18;53;29
Brian Gragnolati
So we've got to make that an upfront question in all of these purchasing decisions and we're certainly going to be doing that. I also think that we need to do this with those who are developing these technologies. And I'm on the board of a technology company that is starting up and with our technology stack as a board member, because of what I know now, I've really encouraged them to deal with these issues upfront.

00;18;54;01 - 00;19;13;20
Brian Gragnolati
And that's really where it starts. It starts in the purchasing organizations and it starts in the boards and leadership of these technology companies coming together saying this is just not acceptable and we've got to do something better. And you know what? Sitting on both sides of those, I can tell you that that can happen successfully.

00;19;13;22 - 00;19;36;12
John Riggi
Thank you, Brian. I think you hit on one of a main thread which runs through all these discussions. Again, we've accepted insecure by default. And I remind folks that hospitals do not, for the most part, write our own operating system code. We do not build our own medical devices. We rely on third party technology, which is often the vulnerabilities in that technology.

00;19;36;18 - 00;20;05;21
John Riggi
That's what is exploited by the bad guys to get on our networks, not our own computer code or medical devices. And the other piece you touched on, leadership. I find that ultimately the most effective concept tool methodology to help mitigate cyber risk starts with leadership, just as you, Brian and Nitin in recognizing how important it is for the leadership to recognize the threats, to demand demand from the teams that you purchase more secure technology.

00;20;05;21 - 00;20;41;27
John Riggi
Just recognizing that risk alone helps reduce the risk of the organization. Nitin, back to you. Having technology which is secure by design and secure by default, absolutely necessary. But I think especially necessary as we enter the age of exponential growth in generative artificial intelligence. As we know, A.I. holds potential for great reward, the potential to cure cancer. But it may come with, as some say, the risk to cause great harm, even to the point of posing as, some say, an existential risk to humanity.

00;20;41;29 - 00;20;51;01
John Riggi
What are your views on A.I. and the possible threats related to A.I.? And what should we be doing at this moment in the development of this technology?

00;20;51;04 - 00;21;23;15
Nitin Natarajan
So, John, I think I think we're in an interesting position as we look at generative AI. AI has been around for a while. We utilize A.I., everything from data analysis, other aspects of what we do, and this generative AI effort, which really has grown significantly over the last 12 months, presents us a wonderful opportunity to tackle something, especially at the ground level, or as close to ground level, as I think we can get when we talk about the speed of technology, the speed of advancement, to really start having these responsible use discussions, these security discussions early on in the process.

00;21;23;15 - 00;21;46;02
Nitin Natarajan
We've seen software and hardware transformation going back 20, 30, 40 years. There's been major technological advances that we've seen. As those things that occurred, we didn't have that security discussion as early on in the process as we have the opportunity to do so now. And this is really where it's critical. I think AI is going to be game changing in all the sectors and especially in health care.

00;21;46;04 - 00;22;07;24
Nitin Natarajan
I'm really excited to see where industry takes A.I. as we look at patient delivery and just frankly, health care management more broadly. And data analysis and visualization. But at CISA we're responsible for looking at the good and the bad. So we see a lot of benefits, but we also want to look at the potential risks and we want to better understand both from a vulnerability perspective, but frankly also from an adversary perspective.

00;22;07;26 - 00;22;31;04
Nitin Natarajan
You know, as much as we talk about things like AI helping us go through code, right, to understand where there's potential vulnerabilities, an adversary could use that same capability to generate malicious code to use against us. So while we see significant benefit in what we're doing, we know adversaries are frankly also looking at how they can use generally AI to benefit their needs.

00;22;31;06 - 00;22;48;01
Nitin Natarajan
So we really have to look at how do we use A.I. responsibly and what does that look like, both from the government perspective, from the industry perspective, how do we look at assuring A.I. systems? And as we talk about a lot of the tools and capabilities are being developed that we're looking at that security aspect, how do we look at critical infrastructure?

00;22;48;02 - 00;23;09;08
Nitin Natarajan
Owners and operators are really looking at the focus versus a sense and how do we use A.I. in critical infrastructure effectively? And then really, how do we also look at A.I. in the workforce? How do we educate the workforce, in fact, really, to understand what A.I. is, how it can be used effectively, and where it can really contribute to the execution of our mission.

00;23;09;11 - 00;23;39;11
Nitin Natarajan
So I think we are looking at AI from both perspectives here within CISA. But again, I think because the development of this and the utilization of this is not sitting here in a federal agency, sitting out with industry is being able to have those discussions, a dialog. We have a cybersecurity advisory committee here at CISA. I would bring as a member of being able to get that input from partners to understand where industry is seeing AI going in and what role could should the federal government play in that and how can we be supportive in helping with the implementation?

00;23;39;12 - 00;23;55;19
Nitin Natarajan
the safe implementation of these efforts as we go forward really is going to be key. So I think it's an extremely exciting time as we look at this and again as we look at this, when adversarial perspective is also a scary time and making sure that we can work together to utilize these new capability in a safe and effective way.

00;23;55;21 - 00;24;17;02
John Riggi
All right. Thank you, Nitin. And so obviously, lots of emotions and lots of potential risk and reward. And I do believe and just from what I've seen and listening to experts like both of you is that we are in the midst of a AI fueled cyber arms race. Good guys are using A.I. to defend; bad guys are using A.I. to go on the attack.

00;24;17;05 - 00;24;25;00
John Riggi
Nitin, one quick follow up question. Is there anything specific you would recommend to the private sector in securing A.I.?

00;24;25;02 - 00;24;43;25
Nitin Natarajan
I'd offer looking at security upfront. So as we talk about how we're going to use A.I. within our institutions, within our facility, is to truly understand the underlying technology and how that's being utilized. So if we use one example, whether you're using a dataset that's global, whether using a dataset that is limited to your institution, where is your data going?

00;24;44;02 - 00;25;14;02
Nitin Natarajan
So as you ask a question of generative AI systems and tools, where is it pulling data from? Where is it taking the data you're putting into it and really understanding that underlying technology. There's a lot of great neat technology out there, but we need to look kind of below that neatness and understand what is happening with our information and arguably, I'd offer I'm not sure people do this enough in their daily lives as well, right as we download an app on our phones or we go to a website, where is our data truly going?

00;25;14;03 - 00;25;27;09
Nitin Natarajan
So I think looking below that under the hood, so to speak, and knowing what is happening with those data is really going to be essential as we look at utilizing more of these tools as we go for, we get a lot of great opportunities. We just need to ask a few more questions before we hit launch.

00;25;27;09 - 00;25;52;23
John Riggi
Totally agree. Newton You can't control something unless you truly understand how it functions in those large data sets I think are key to AI producing secure results and securing that data both from privacy and security perspectives. Brian, being one of the most technically savvy health systems CEOs that I've met across the nation, what are your thoughts on the utilization of AI in health care?

00;25;52;26 - 00;26;17;11
Brian Gragnolati
AI means a lot of things to a lot of people. Labeling it in terms of what this next generation has, which is generative, is a good way to do it. We use AI in health care every day and we have to escalate the use of it. But as Nitin said, we've got to be very careful about it. It requires a level of sophistication that many organizations do not have to address this.

00;26;17;13 - 00;26;38;08
Brian Gragnolati
So my advice to our organization in what we put in this is make this part of your enterprise risk plan. This becomes a high priority in terms of A.I. As matter of fact, a few months ago, we had a panel at one of our all boards meetings that discussed this use in health care and particularly what we were doing at Atlantic.

00;26;38;11 - 00;27;03;07
Brian Gragnolati
The other piece is to as a CEO and as a leader in health care, learn about this, understand this, because this is very nuanced. I think staying on top of this is very important. And to the AZHA's credit, the Committee on Health Strategy and Innovation last week at our meeting, we had a whole series on this and we had some experts in there at Microsoft and Google speaking with us about this.

00;27;03;11 - 00;27;26;16
Brian Gragnolati
I got to tell you, it was an eye opener. It was an eye opener for every participant. So learn about this. Create organized conversations within your team and make sure that the clinicians are at the center of this, because ultimately this needs to be accretive to their efforts. I don't think that AI is going to push expert clinicians out of the equation.

00;27;26;23 - 00;27;46;00
Brian Gragnolati
I think that it's going to be additive. And another tool that they have to care for their patients. So in summary, make it part of your enterprise risk plan. Second thing is learn about it. Engage in conversations internally, and understand that this is about supporting patient care.

00;27;46;03 - 00;27;53;29
John Riggi
Appreciate that. Brian. In general, is there any final thoughts on any of the issues that we discussed today?

00;27;54;02 - 00;28;15;10
Brian Gragnolati
Again, John, thank you for putting these conversations on. And hopefully, you know, these conversations will stimulate others. I really appreciate the work CISA is doing in this space because it is incredibly important and to some extent you mentioned scary and comforting. You're right. It's scary and comforting. And thank you all for taking this on.

00;28;15;11 - 00;28;22;29
John Riggi
Thanks. Brian. Nitin, As we close out, any final thoughts you'd like to offer our listeners in the health care sector at large?

00;28;23;02 - 00;28;44;02
Nitin Natarajan
Thanks. I'm also by thanking you and Brian personally for your commitment to this effort and your dedication and focus on this as well the AHA. I think this is something that is not easily understood. It's often people get very scared of talking, having these conversations, but I think the more that we can talk through some of this, people will realize it's actually easier to engage in these conversations than people think.

00;28;44;02 - 00;28;59;17
Nitin Natarajan
And I think elevating these conversations, frankly, to the CEO and the board level is tremendously making a difference in how we can change our posture nationally. Because at the end of the day, there are those entities that are accepting risk on behalf of their agency and them have their organization. So being able have those elevated discussions truly is helpful too.

00;28;59;19 - 00;29;18;19
Nitin Natarajan
And I'd love to make a plug, as I usually always do for our regional teams. We have a lot of resources and so we try to bring to bear in collaboration with our partners with the FBI, HHS and others and try to put that in a central place for folks to access. And so we want to demystify the federal government and make it easier for people to reach us collectively as a federal government.

00;29;18;22 - 00;29;41;10
Nitin Natarajan
And so we have regional people in your communities throughout the country that you can engage with locally, that people can find for a website, and to use that as a means of engaging with our partners. And I know, you know, John, we continue to collaborate very closely with the AHA in your regional efforts as well. And it's great to have that partnership, that ability to work together to tackle these issues because I truly believe that at the end of the day, this is a global problem that needs a global solution.

00;29;41;14 - 00;29;45;13
Nitin Natarajan
And it's really going to take all of us to stay one step ahead of the adversary.

00;29;45;15 - 00;30;14;19
John Riggi
Thanks, Nitin. Totally agree with you and endorse your regional resources. I have traveled around the country and worked with many of them directly on our cyber workshops and they are truly outstanding and great experts and just truly making themselves available to work with private sector. So thank you both and thank you to all the men and women of CISA, Atlantic Health and all our frontline health care heroes who defend our networks, care for our patients and serve our communities.

00;30;14;21 - 00;30;29;21
John Riggi
This has been John Riggi, your National Advisor for Cybersecurity and Risk. Stay safe, everyone.