058 | Building a Culture of Security within Healthcare | Tony Anscombe of ESET | Studio CMO

Podcast by | August 6, 2021 HealthTech, Marketing Strategy

In the last two years, a plague has enveloped our world and has crashed into the healthcare industry costing trillions of dollars. No, it’s not COVID. It’s cybercrime.

Bad actors are becoming more and more sophisticated. Ransoms are increasing at exponential rates. And sensitive health data is at a greater risk than ever before.

Cybercrime is not only a concern for IT departments in the bowels of hospitals and medical buildings. It should be a major concern and a top priority for marketing teams at HealthTech solutions.

About Our Guest

Tony Anscombe is the Chief Security Evangelist for ESET. With over 20 years of security industry experience, Anscombe is an established author, blogger and speaker on the current threat landscape, security technologies and products, data protection, privacy and trust, and Internet safety.

His speaking portfolio includes industry conferences RSA, CTIA, MEF, Gartner Risk and Security, and the Child Internet Safety Summit (CIS). He is regularly quoted in security, technology and business media, including BBC, The Guardian, the New York Times, and USA Today, with broadcast appearances on Bloomberg, BBC, CTV, KRON and CBS.

The healthcare industry is very good at preventative medicine for their patients. Paying cybercriminals is not preventative because it’s funding and resourcing bad actors for the very next attack. —Tony Anscombe, ESET

You're Invited to Breakfast at HIMSS 2021

The size of HIMSS can be overwhelming. Especially after a year at home facing a computer screen.

We want to foster deeper connections and real conversation.

We are hosting two breakfasts for small groups of HealthTech marketing professionals at HIMSS 2021. Details of the breakfast will be sent to those who RSVP. Please fill out the form below to reserve your chair.

Three Steps to Building a Culture of Security at Your HealthTech Company

Don’t leave security to the IT technicians. Build it into your marketing messaging and automation.

Healthcare providers—whether attacked or not—are chilled every time they consider a new solution to add to their digital mix. They worry if the new application will become a door that can be breached by bad actors putting millions of dollars and patient trust on the line.

Don’t miss that hurdle in the customer journey you and your sales department are creating for potential clients. You can set yourself apart by taking these three steps.

Start with You

Michael Jackson famously sang, “I’m starting with the man in the mirror.” You need to start with your own company. 

How well do you handle sensitive data to prevent loss, a breach, or corporate espionage? Start with you. Make sure your company data is locked away. Give your IT team freedom to look at cybersecurity tools and stay on the cutting edge. Build upgrades into your budget so you can be more nimble.

How carefully do you handle your own customer data? With the onset of GDPR and CCPA, many companies wrestled with their customer data plans, their email lists, and more. However, a large number of SaaS companies, especially start-ups and those in the US but outside of California, didn’t upgrade their websites and systems because they didn’t meet the threshold requirements. If you’re going to be an unbreakable link in the chain for your customers, build that strength now.

Systems and procedures are not enough to protect your customers’ sensitive data. Every person who works at your company (plus any freelancers) need to keep the value front and center in all that they do. Imagine if you went inside for a banking transaction and could see another customer’s information on the screen or could easily look on the teller side of the counter and see account numbers, names, and balances. You would feel like you were banking at a careless institution. Work with your entire team to raise the standard of protection so they each feel responsible. Call it security collaboration. You may even want to create some internal marketing for the standard so that everyone feels part of something bigger than themselves. (For more, listen at 14:00 and following and 27:00 and following.)

When you create your next product, don’t wait till after you’ve developed it to add security features. Start with cybersecurity. Build your product in an environment of security. (Listen at 24:00 and following.)

Spruce Up Your Security Process within Marketing Functions

When a visitor comes to your site and downloads a white paper or signs up for your email list, what security protocol is in place? Is there two-factor authentication or a verification code sent by email or text? How do those messages look, feel, and sound from a marketing perspective? Don’t accept boilerplate language or templates here. Work on these expressions of security so that your users feel secure when they interact with you.

Don’t let your privacy policy be a jumbled mess of legalese that is a mess to read on the screen. Treat it like a long blog article. Use subheadings and simpler language for a better experience whether your visitor is skimming or reading. Help them feel confident in your security. (Listen at 16:00 for more information.)

If someone unsubscribes from your list, don’t waste an opportunity to demonstrate how carefully you treat personal data. Sure, you may still want to try and retain their place on your list, but it is more important to let someone leaving know with confidence that they won’t receive any more communication from you and their name isn’t for sale.

What other subtle ways could you remind your visitors and email list that their data is secure?

Include Security in Your Front Line Marketing Messaging

Trust must be earned. You can’t call yourself a trusted partner. Only your customers can bestow that honor on you.

In the same way, you can’t demand to be trusted in the marketing and sales process. You must earn it. However, you won’t earn your prospect’s trust if you don’t talk about security and demonstrate it.

  • When you answer objections about your solution, do you include any security information?
  • Do you include security as a part of your FAQs?
  • Can you spare a few words in your elevator pitch to nod to security?
  • How many seconds does security receive in your pitch presentation and deck?
  • Do you have any comments and endorsements from existing clients about security?

Keeping data secure is high stakes for healthcare institutions. Be their armor-bearer. Help your customers be even more secure than they are now.

Tony Anscombe, Chief Security Evangelist for ESET believes there is a broader call in the healthcare industry. “Healthcare is regulated by HIPAA. This is very generic security terminology used in HIPAA,” Anscombe said. “I think if I was in the HealthTech industry, I would be looking beyond HIPAA compliance. When you have regulations or legislation, it’s merely a stake in the ground. Go beyond. Innovate further. Look at some of the other innovations around security technology that could be used to further—not just comply—but to go way beyond compliance. There’s too much at stake.”

Links Mentioned on This Episode

Transcript

John Farkas (00:00):

So we are in the process of finding our way out of a global pandemic and it’s cost untold trillions of dollars in multiple different, uh, manifestations and expense in the context of our businesses. I’m talking about COVID, but there’s another global pandemic going on right now that is costing untold trillions of dollars in the context of our community. And it’s everything related to cyber crime. It is a huge problem, and it’s a huge problem in the context of healthcare. And then growing one, as bad actors are increasing in their sophistication. And as they’re recognizing the threat that they can pose and the value that they can extort from healthcare institutions, it’s a critical problem. It’s an important component to understand, and it’s an important component to address and how we bring things to market. And that’s what we’re going to be talking about today on Studio CMO.

Mark Whitlock (01:07):

Welcome to Studio CMO. You are listening to the podcast where you can find the way to sharpen your market positioning better than ever before and build demand generation programs that change the lives, not only of your patients, but for the course of your HealthTech company. My name is Mark Whitlock. I’m alongside my fellow co-host Anna Grimes. John Farkas, the host of Studio CMO, is here well. You just heard from him. And Anna, we are welcoming back to our microphones today, a guest who was one of the first on Studio CMO from episode 17.

Anna Grimes (01:55):

That’s right. Tony Anscombe is the Chief Security Evangelist for ESET. He has over 20 years of security industry experience and is an established author blogger and speaker on the current threat landscape security technologies and products, data protection, privacy, and trust, and internet safety. He’s also regularly quoted in security technology and business media, including BBC, The Guardian, the New York Times, USA Today, and even broadcast appearances on Bloomberg, BBC, CTV, KRON, and CBS. So welcome Tony.

Tony Anscombe (02:35):

It’s great to be here, Anna. And, Mark and John, it’s good to be back. Yeah. Episode 17 seems a long time ago.

Mark Whitlock (02:42):

It sure was.

John Farkas (02:42):

Yes it does.

Mark Whitlock (02:43):

And so remind our listeners and those who are new to the listening audience about ESET. What do you guys do better than anybody else?

Tony Anscombe (02:51):

So ESET is a cybersecurity company, and importantly, we’ve been around for 30 years. So a long standing member of the cybersecurity community and all the way back from… You remember those five and a quarter inch floppy disks with, oh yeah, yeah. We distributed our first antivirus products on five and a quarter inch floppy disks, way back when and, uh, today, uh, we’re somewhat different to that. You know, we’re a global company, we’re the number one for providing small business solutions in Europe. And, you know, we provide all the way from antivirus software or anti-malware software as we should really call it and cybersecurity protection from your laptop and your phone all the way through to a big enterprise where you’d have endpoint detection and response systems that are actually looking for anomalies in traffic and threats that are internal to the network. So yeah, my mum all the way through to the biggest enterprise

Mark Whitlock (03:53):

And you have a large presence in healthcare IT as well.

Tony Anscombe (03:56):

We do. We have a presence across, uh, across many different industries and healthcare is an important one to us,

John Farkas (04:02):

Tony, I know this is a huge issue. There is a lot going on and it’s an expanding threat that continues to grow in prominence and concern. I’m interested because there’s been some things that have happened just in the not too recent past that have changed some of the game. Tell us what we need to know about how this threat landscape is changing. And as people are considering cybersecurity, as we’re considering data security in general, what do we need to know about what’s transformed and where things are vulnerable now?

Tony Anscombe (04:39):

Well, so firstly, let me pick up on something that Anna said in the intro there: the cost to business and the cost organizations, whether it’s healthcare or whoever. In 2018 at RSA, a man called Dr. Michael McGuire gave a presentation. And he’d gone around the world and he’d tried to collect up what cybercrime was costing business. And he estimated it to be $1.5 trillion globally. In 2020, the world economic forum revised that number in their global risk report to $6 trillion. Wow. Now that was at the start of 2020. If somebody was to revise that number here in the start of 2021, I would hazard a guess. We’re heading towards double digits in the trillions of dollars, because if we look at how ransomware and cyber threats have changed, if I take you back also to 2018, and we look at a cyber threat that happened then, um, the city of Atlanta suffered a very bad attack on their smart city servers.

Tony Anscombe (05:48):

And there was a ransom demanded for $51,000. And at the time that seemed like a lot of money. When you fast forward to today, you’re, you’re seeing ransomware demands on the Colonial Pipeline. They paid $4.4 million. Uh, you’ve seen Kaseya, which was a managed service provider last weekend that affected tens and hundreds of companies being demands of $70 million. So you can see from this $51,000 to the $70 million is a huge change. And companies are now paying—from the city of Atlanta who didn’t pay—why are companies paying now? These much larger sums? Well, if we go back to that 2017—2018 era, and we look at the National Health Service, so a healthcare provider in the UK, in 2017 got hit by Wanna Cry. That was a major piece of ransomware, a major cyber attack. Of course they didn’t pay because no government would or should pay a ransom in that way. The estimated cost to public finances was $122 million. And that’s the good thing of when something hits a public sector organization, we tend to hear about the aftermath and the result because the post-mortem becomes relatively public.

John Farkas (07:14):

Public. Yep.

Tony Anscombe (07:16):

If you’re an organization today and you’ve got the knowledge of looking back and going well, you know, somebody is demanding $2 million in ransom payment, or even $10 million in a ransom payment or not to publish data. Then I can look back and turn and say, “Well, you know, they might be asking for $2 million, but it’s going to cost me $10 million plus to rebuild, which one should I do?” And unfortunately, I think that’s one of the reasons why people are paying. And you’ve also got this other factor in there in those two or three years. You’ve now got insurance companies that have appeared offering cyber risk insurance. If you’re in the boardroom and now you’ve, you’re faced with paying two or $3 million to a cyber criminal, or you’re faced with rebuilding your systems at tens of millions of dollars. And you know, out of that two to $3 million, you can get 50%, 75% of it back from your cyber risk insurance. And they’ll send you a negotiator to try and bring the amount down. Then I think the decision becomes more about paying than it does not funding cybercrime. And the healthcare industry is very good at preventative medicine. Isn’t it? Yes. I can tell you one thing paying cybercriminals is not preventative because it’s funding them and it’s resourcing them for the very next attack.

John Farkas (08:42):

So certainly the incentives have changed. The shape of the attacks have changed too, haven’t they?

Tony Anscombe (08:50):

We look back at ransomware as an attack, uh, and if we look at the dictionary definition, if you go online and you Google ransomware, you’ll get a nice dictionary definition of here’s about encrypting data and blocking access to systems and blocking access to your data, which is correct. However, I think that definition is somewhat wrong today. If we go back two or three years, it would start with an email. It would have an attachment in an email or a link, and it would encrypt the data on the device or block access in some way. And if we go back far enough, it really was just blocking access. So it was yeah. Lock screen today. That’s very different when you’ve got well-funded did on well-resourced cyber-criminals attacking organizations, such as hospitals who have lots of sensitive data. Remember on the cyber grade node that actually sensitive data is like gold.

Tony Anscombe (09:43):

Because if, if you can get your hands on, un-encrypted sensitive data, somebody is going to pay you. What they do is they infiltrate the network. Now think about some of the recent vulnerabilities we’ve seen in the market. Uh, you guys may have heard of the zero day vulnerabilities in the Microsoft exchange servers in the last few months, cyber criminals will go and exploit vulnerabilities in software or in firmware. They’ll access them at work that might be using credential theft. So they might be using traditional phishing techniques or spear phishing techniques. But once they’re in that system, it’s changed. They’re not then saying right. Deploy my ransomware. What they’re doing is they’re sitting, they’re mapping the network yeah. Around the network to see what sensitive data is, where it’s stored. They’re moving around and I’m making decisions. They may even be watching email streams and such like, yeah, they’ll look at what security is in there.

Tony Anscombe (10:43):

Then they’ll exfiltrate that data. They’ll copy that data to an outside server. They’ll look to see how the organization is backing up the data. You know, is it a true, real time online backup? Are they taking a hard copy? I’d say hard copy. I mean, I’m thinking of tapes, but that just shows my age, but are they taking off-site copies of data that’s disconnected then once they’ve exfiltrated the data and they understand what’s going on in the network, then they look to see if they can disable any security systems. Because if they can turn some pieces off and make it spread quicker internally, then they’ll encrypt. Then they’ll launch their ransomware attack. Now think about this as the victim for a moment, you’ve got this ransomware attack, all your systems are completely locked. Yeah. And you’ve got a cyber criminal sitting there with all your patient records. Yes. So now you’ve actually got two attacks happening at the same time, because if you don’t pay the ransom, you don’t get access back to your systems. And if you don’t pay them, they’re probably going to publish the data or sell the data on the dark web. So it’s as much about a data breach today, as it is a cyber attack, there’s locking your, your systems out.

John Farkas (12:02):

And if you’re the company partnering with the health system, that ended up being the doorway to that kind of a breach, right. That can be decimating. It is a really critical thing to consider. The consequences are real and the desire, the need to address that. Uh, not only in the infrastructure that you’re creating from a systems perspective internally, but from how you are addressing the market and being conversant about it and leading conversations about it is a need an increasing need and an opportunity because as hospitals and health systems, as payers are all getting increasingly aware of the concerns and the needs to aggressively treat that. They’re expecting their vendors. They’re expecting people selling into their systems to join them into that conversation and work with them to become a united front. And so Tony part of what I’d love to talk about today is knowing our audience and knowing that we are talking to marketing people for these companies, what are some of the opportunities? What are some of the conversations that are important to be a part of? What are some of the sensitivities that are important to embody when we’re talking about the messages to the market, how would you guide and direct some of that?

Tony Anscombe (13:24):

Well, when you invited me to come back on, I, you know, I gave this some consideration because if you think about what, okay, you know, how you marketing, what happens today. And actually, I think maybe I then kind of went down that path and then I considered maybe that’s the wrong way to view this. Actually, maybe the marketing team should be sitting at the same table as the security team and the rest of the senior management and board members, because this is not something that the one team fixes or deploys, something that makes everybody feel good or feel secure. And then somebody goes to market said, you have to instill a security culture across an entire organization.

John Farkas (14:08):

Yep. Yeah. It’s, it has to start with an ideology, right? I mean, you have to have a wellformed ideology about how you’re approaching it. Right. And it has

Tony Anscombe (14:16):

To start at the top of the organization and filter all the way down so that everybody in the organization understands. This has the backing of the people at the top. And they’re doing as they’re preaching as well from top down and you then create a form of culture in the organization. So for example, if that security culture goes all the way down to when I, as a patient, I walk into a hospital and no longer do I see another patient’s record on the screen, or I don’t see the paperwork on a desk. And I know they’re taking the security of data of, of other patients seriously, then suddenly, you know, my perception may change. I really think that all the way down to the receptionist, to being more secure, if every time I receive an email from my healthcare provider yeah. It’s caveated with certain information.

Tony Anscombe (15:10):

So think about your finance organizations, do a really good job. Don’t they, the banks tell you, we’re never going to ask you for your password. We’re never going to send you an email with a link in it. You know, we’re never going to do this. We’re never going to do that because of course it costs them money if your, your, your account gets compromised. Right. So right now, imagine if your healthcare provider took a similar view, and I know it’s more complex in healthcare because you go to one healthcare provider. And actually, if you, if you peel the lid off, there’s like 500 healthcare providers under one healthcare provider banner. So you’ve got to instill a transparency and a culture across all of the providers in that network of being secure. And they should all behave in very much the same way to give the customer the knowledge that security is being taken very seriously.

Tony Anscombe (15:59):

And the customer should be able to witness that in all the communications and in their interactions with staff. So if you take it from that top down view, then actually I think the marketing becomes a little easier because you can see engagement across the entire business. And if you’ve got a business culture that way, your marketing message should be much simpler. The other thing that I think is important as well is privacy policies. Okay. And transparency about how data is stored and how the business is, is protecting the patient information. So, you know, when was the last time any of you guys read a privacy policy? I mean, we know how long they are, they’re painful, they’re, they’re long legal documents. And typically, you know, there are 15 minute read. Yeah. Typical privacy policies are going to be around 3000 words or so. Yeah. Segment the privacy policy state very clearly what’s happening to that customer data know who it’s being shared with how it’s being shared.

Tony Anscombe (17:02):

Yeah. Make the patient understand, you know, what’s happening. And if that transparency is in itself, a marketing message, right. Because if you’re being transparent, if you’re being upfront and you’re telling me that I have a responsibility about my data, you have a responsibility about my data. Here’s how it’s being protected and you know, who it’s going to and how it’s being shared for my treatment. Then actually I think I’m going to feel a lot more secure and more to the point I can object. Maybe, maybe you’re doing something I disagree with and maybe I have the right object.

Anna Grimes (17:40):

And by the same token, Tony, it, it goes for those B2B vendors selling into that. As you said, you look under the lid, there’s like 55 other names, organizations that surround say Cleveland Clinic. But if you’re selling an let’s just say an EHR testing product into that system, I would say it’s a marketing advantage. If you can clearly explain how we handle the data, we, how we are good stewards of this data, and how we are a part of your cybersecurity team.

Tony Anscombe (18:18):

Absolutely. And I think that transparency we’ve seen in other industries, I mean, one example I use and I’m going to leverage back many years, probably about 20 years on from living in the UK when there was a major financial crisis in the 1990s. Um, the aftermath of that financial crisis, uh, saw regulation come in and the financial industry had to put everything on one side at one piece of paper. So when you buy a financial product, one piece of paper was delivered and it told you the core pieces that you needed to know. So no longer 15 pages of legal T’s and C’s that nobody read. And I think that if you can talk about security and your privacy in the same way, and on one piece of paper, one side of a, of a letter, piece of paper. And I say that as physically, yeah, physically, but you know, one on the screen with a small scroll on it, but I think that way you engage people, you engage people to actually read it and understand what’s going on.

Mark Whitlock (19:26):

So to recap, what we’re looking at here is a HealthTech company selling into providers. The providers are chilled from a security standpoint because they realize that if they get breached, all hell’s going to break loose. And so the HealthTech company coming in has got to demonstrate that they have a culture and ideology of security, so that they’re coming alongside the healthcare provider to help protect the health data at the healthcare provider. So how does that ideology and that the culture at the HealthTech company and the sense of privacy, how does that working in a team with senior leadership and with the security and it folks at the HealthTech company as a culture, how does that get infused into marketing? What needs to be said through marketing messages to the healthcare provider? So the healthcare provider can over time trust the HealthTech company with their solution.

Tony Anscombe (20:25):

So I think there’s also a broader, um, part in there is the healthcare industry, of course, is regulated by HIPAA. And you have, I would say very generic security terminology used in HIPAA say group practice is to follow the NIST cybersecurity framework and deploy cyber security to become HIPAA compliant. I think if I was in a HealthTech industry, I would be looking at the HIPAA compliance because you have to step up and be compliant. But I think I’d be looking beyond HIPAA compliance about because when you have regulation or legislation is somebody puts a stake in the ground at some point in time and says, this is where we are today. And this is what’s actually required as a HealthTech provider. I will be looking at some of the other innovations around security technology that could be used to further not comply, but to go way beyond compliance. Don’t just check the box. Yeah, I’m Mike, actually the HealthTech company should be making the healthcare provider understanding the same way. I’ve just said about from a patient perspective that the culture of the HealthTech company comes from a security standpoint.

 

Anna Grimes (21:45):It’s, it’s part of their overall culture of safety. If, if we’re talking about compliance and risk and all of that, it’s, it’s a part of the whole picture. Yes,

Tony Anscombe (21:56):

Absolutely. And I think it’s about making that extra effort. That extra step is the difference between, let me give you an example, it’s the difference between you having an antivirus product on your machine to protect yourself as opposed to having a full cyber security suite of products that are protecting your browser, your fishing, and the compliance might require you to have antivirus, right? But actually for your best protection, you want the full suite of products, right. And to be protected across the board. And I think that’s where I would be as a HealthTech company, I would be looking at some of the, the new, clever, innovative technologies out there to help provide that security.

John Farkas (22:39):

So Tony, the opportunity, if I’m looking at becoming an increasingly valuable partner with payers or providers or anybody in the healthcare ecosystem, working to position yourself as a leader in the security conversation makes sense, because it’s only going to become a more pronounced problem in the next five years. I mean, the, the rewards are too great. The momentum is too strong for, to go any other way. I mean, I that’s the unfortunate truth and in the problem is going to have to get louder before people increase. I mean, people are taking it more seriously, but it’s going to have to take another step before we are really going to pay attention at the level we need to, if you’re a company and you have the ability to you, you have the ability and the sensibility to create that culture that you are talking about to, to promote security at a level where it can be really, uh, it can be pretty front and center in your value proposition and you can help your clients, your buyers into a stronger position. It seems to me that that’s a great place to be right now.

Tony Anscombe (23:52):

Let me take the first part of what you just said and kind of, I’m going to disagree, John. Um, let’s see cryptocurrency regulated. Let’s take the money out of cybercrime. Let’s take the payment method out. Yeah. And if it, if you’ve got any government people listening to this podcast, please step in and do something here you’ve already seen. So for example, Australia have a proposed piece of legislation going through at the moment that makes paying ransom demands illegal. Right? This is an interesting scenario because if countries start making it illegal to pay cybercriminals, the countries that remain where it’s still legal to pay them will become a bigger target because the cybercriminals will just focus their campaigns where they know they can make money. So there’s making the payments illegal is one side of this. Secondly, though, take the money out of this and potentially you stop some of the cyber crime.

Tony Anscombe (24:57):

I’m sure they will find other ways to monetize, but it might not be the richies of $14 to $17 million when they attack somebody. And it will be a lot harder. The second part of that, that the whole culture of having cyber security, if I was to go off and start a small startup today, and that startup was doing healthcare technology or was doing FinTech or whatever it might be, the place to start is yes, you may have an idea around what you want to deliver as a service, but the place to start actually is with cybersecurity. Yeah. It has to be by design. It has to be from the ground up. You can’t develop a product or make a product or a service and then add security. You have to have it secure from the outset. That’s also what stops loopholes or bypasses or vulnerabilities being in there. And I, and I’m not saying it gets rid of all vulnerabilities because all services and all systems unfortunately have vulnerabilities, even if they’re yet to be discovered. So we’ll never remove them completely. But if you start with cybersecurity at the core, then I think you’re in the right direction.

Anna Grimes (26:12):

It brings a new definition to product market fit. Doesn’t it, John for HealthTech?

John Farkas (26:17):

And the reality is that anybody that’s touching data and especially in our case, in touching patient data or organizations that have anything to do with patient data security has to be part of the systemic framework that they have. But it’s about taking that framework and building a culture around it, you know, cause it’s not just about having it baked. You have to have it there. And the smart SaaS companies that are touching patient data, you know, it’s regulated and most of them are going pass regulations because that’s smart, but not just having it as part of the furniture, but having it as a part of the culture and say, what is, what does it mean to be talking about this, to be talking about the precious nature of that, that idea and bringing that forward in the context of the culture and how you bring that to market. I think that that’s really important because that will only then bring you farther into the conversation with people that are really concerned about it, highlighted for the concern that it is and do more to highlight the problem. So that Tony, what you were saying so that the, the awareness increases at a, at a point where we’re actually going to begin to do something about it, where we’re actually going to be working to actively disincentivize the bad actors for doing what they do.

Tony Anscombe (27:39):

And bringing this back to the audience here of people in the marketing teams, if, as the end consumer of a product, when I go to access a service and I feel confident about the service because of the way it’s messaging me. And some of the things it’s asking me to do, I is asking for those extra steps in authentication, it’s asking this, that, and the other that is marketing because right there, if I feel confident in the service, yeah, I’m going to come back and use it again. Right. And therefore that’s the job of marketing, isn’t it. And if I’m then going to tell my neighbor, this was a great service, or I felt secure and look at how cool this, this company has got this other cool technology they’ve deployed to make my data secure and make my healthcare more secure. Then that is it. It’s that transparency. It’s how you sell that security culture right to the end customer, I think, is going to help the healthcare provider.

Mark Whitlock (28:38):

That’s a fascinating thing to highlight that if the healthcare provider, the researchers there who are looking for solutions come to that HealthTech website, and as they’re reading blogs and downloading case studies and looking at information and setting appointments and all the other things they would do throughout the, uh, marketing interaction, if they’re feeling a sense of security, there are going to naturally kind of behind the scenes feel that sense of trust that these people care about security as I’m going through this process. That’s a fascinating idea.

John Farkas (29:08):

If I were to take a survey of a lot of the HealthTech companies that I see out there right now, and look at their top line messaging, you know, what I encounter from them in the first 60 seconds of my journey in with them hardly ever is security a part of that equation. It’s almost always about the direct benefit, which is important, but what I want to put out there now is that, you know, like many institutions, it’s a lagging field, we’re going to be behind the curve. And so healthcare is just now awakening to the importance of security, broad scale. I’m not meaning to diminish this. People have been very aware of it, but it’s getting, it’s moving farther and farther toward the front page of critical awareness. And the demands are going to start being made, and it’s going to become an increasingly present priority. And so in a world where we’re really searching for differentiation, when we’re in a competitive market space, where there’s a lot of people wanting attention for very similar solutions, bringing the security message farther forward is going to be up increasing value in the near term, because people are going to be asking, how are you approaching this? And if they’re looking at two solutions and one just talks about here’s how we solved the problem. And the other says, here’s how the we solve the problem. And security is part of our lifeblood. That’s a very different approach and something that I think will help move organizations into a better position in the market in this next season, because it’s going to become an increasingly apparent demand.

Anna Grimes (31:02):

A High Trust Certification is not going to while it does show. You’ve reached certain levels of trust, certain levels of protection, but a high trust certification is the beginning of the conversation. It’s not the end of the conference,

John Farkas (31:16):

It’s the table stakes. And, and who’s going to go pass that. Who’s going to help lead the conversation that elevates healthcare into a better spot.

Tony Anscombe (31:26):

Wouldn’t it be great to see a HealthTech company who have got a, an innovative idea they’re trying to sell to a provider. And actually they turn around and say to the provider, we’re not going to work with you because your systems aren’t secure. You don’t have the same security culture that we do. And my point here is that maybe it’s the HealthTech community, those smaller startups that have innovative ideas. When they go to the healthcare provider, they should be upping the healthcare providers game because those guys are probably focused on patient care. And let’s be clear over the last 18 months. One of those healthcare providers have gone through a very, very stressful time, both with losing revenue in providing what I define as normal healthcare to actually sing a pandemic. So their focus might not always been on their IT systems. So HealthTech companies make sure the healthcare providers are stepping up and making sure they’re reaching the best security. Don’t bring your security down to there’s just so you can sell something.

Mark Whitlock (32:28):

Tony Anscombe, thank you so much for being back with us on Studio CMO.

Tony Anscombe (32:33):

Oh, it’s a pleasure, Mark. Always good to be here.

Mark Whitlock (32:36):

You were one of the first recipients of, uh, our special gift after being a guest on our show. And, uh, I can’t wait for you to see what we do for those who come back.

Tony Anscombe (32:46):

Let’s face it. It’s the only reason you came.

Tony Anscombe (32:49):

My wife couldn’t believe you sent me that case of vintage champagne. It was just too much. So I’m just saying, if there’s anybody out there that hasn’t signed up to be a guest yet. Yeah. The benefits are really there.

Mark Whitlock (33:07):

So come on over to StudioCMO.com and click on the Tony ads com interview. What we’re going to do is we’re going to leak you to some of these statistics. We threw a lot of statistics at you today about cybercrime and the increase and how it’s affecting healthcare. We’re going to link to some of those statistics for you. So you can take a look at it. Uh, we’re also going to link to our privacy policy. We recently overhauled our privacy policy and, uh, it’s segmented like Tony mentioned is, is, is good practice. So take a look at ours. As you consider how you build that culture of privacy. We’re also going to give you some tips on how you can begin the conversation or restart a conversation about a security culture at your company. So come on over to studiocmo.com, click on the Tony Anscombe interview. You’ll find the information there. And of course, we’re going to link you out to Tony. Tony produces an incredible series of videos for ESET each week. You can find him on YouTube and listen to his great British brogue and learn more and more about what’s happening weekend and week out. We’ll we’ll link you out to that series of videos on YouTube as well. So when we talk about understanding our buyer’s problems,

Mark Whitlock (34:21):

Security is one of those. And so today, as always, we end with these three core thoughts from Studio CMO, you must understand your buyer’s problems.

Anna Grimes (34:31):

You must lead with an empathetic understanding

John Farkas (34:34):

And always work to make your buyer the hero.

Mark Whitlock (34:37):

We’ll see you next time on Studio CMO.

Mark Whitlock (34:39):

Studio CMO is produced by Golden Spiral—market positioning and demand generation for HealthTech. We are an agency dedicated to help you realize your market potential. Our music is from Bigger Story Music, a BMG music library. Whatever story you’re trying to tell, Bigger Story has the perfect music to make it better. Really. Check them out at biggerstorymusic.com.