This week, our guest is J.D. Whitlock, the Chief Information Officer at Dayton Children's Hospital. With a background in the military, healthcare administration, and IT, J.D. offers an in-depth perspective on the importance of cybersecurity in healthcare. Read on to learn how he minimizes the damage at his hospital when ransomware rears its ugly head.
This week, our guest is J.D. Whitlock, the Chief Information Officer at Dayton Children's Hospital. With a background in the military, healthcare administration, and IT, J.D. offers an in-depth perspective on the importance of cybersecurity in healthcare. Read on to learn how he minimizes the damage at his hospital when ransomware rears its ugly head.
[00:00:00]
J.D. Whitlock: I'm certainly not the first person to say this, but all the good security people were network people first. You kinda under, you sort of need to understand the, how the network works before you're in charge of protecting the network.
Megan Garza: Makes sense. Yeah.
J.D. Whitlock: Yeah.
Megan Garza: Welcome to Speed Data, quick Conversations with cybersecurity leaders. I'm your host, Megan Garza. My guest today is JD Whitlock, the Chief Information Officer for Dayton Children's Hospital. Thanks for joining me on Speed Data, jd.
J.D. Whitlock: Pleasure to be here, Megan.
Megan Garza: JD has been at Dayton Children's Hospital for the past seven years, where he currently leads a team of 140 professionals across infrastructure and operations, data services, cybersecurity, PMO, Workday, ERP, and Epic, HER Al, in support of the $750 million pediatric health system. JD also owns a [00:01:00] health technology and digital health consulting firm and is passionate about fostering innovation in healthcare. JD also has a creative background in marketing and media specializing in SEO website design and mass communications. Volunteers in his community. JD has been active in Big Brothers and Big Sisters for more than 14 years and does prison fellowship at the Dayton Correctional Institution.
That is really cool, and I bet it's really rewarding as well.
J.D. Whitlock: It is.
Megan Garza: You oversee cybersecurity in your role as CIO Working at a hospital, I know that any disruption to the business or cyber attack can literally be a matter of life and death. Working at a children's hospital, I imagine that danger feels even more crucial.
In your opinion, what is the best way to defend against a cyber attack?
J.D. Whitlock: Uh, anywhere in, in healthcare, we are very concerned about ransomware attacks. Of course, you can see in, the, press, relatively unfortunately, frequent, um, hospitals being being taken [00:02:00] down, uh, by ransomware. Um, of course we all have, downtime procedures so that.
If and when things have to go down for whatever reason, um, we can, still take care of patients as safely as we possibly can. But it is also true that typically what happens in those scenarios for longer term, a truly bad. A ransomware attack that really takes a hospital down for a period of weeks.
Typical, typically results in significant interruptions to care and, you know, canceling of elective surgeries and that, that kind of a thing. so we are of course always, doing everything we possibly can to defend against that. Dayton Children's is a, not a small organization, but a small health system.
and so we have to, we're big enough to have a large attack surface, uh, and from a cybersecurity perspective, so we have to be very careful about all that. [00:03:00] And we, you know, try to keep up with, uh. using the, uh, the best tools that we can with our, with our small team and supplemented by some, um, services.
Uh, for example, in the case of a managed detection and response, that you sort of have to do if you have a smaller team, if you're not gonna set up your own security operations center. So, uh, you know, defense in depth and zero trust and all that good stuff. And, we hope to. Keep the bad guys out of the, at least out of the family jewels.
Right? So, um, it's true in today's environment that you're never gonna stop the bad guys from getting over that first wall with a, with a sophistication of attacker in the middle and getting past MFA and all that. So we just, um, you know, we hope you have the. The alerting and the, the tools in place to, to identify, you know, account compromise, uh, very quickly after it happens.
Um, and [00:04:00] so that's what we are all shooting for.
Megan Garza: Yeah. And I know that some types of malicious actors used to have a kind of, you know, code of ethics where they wouldn't go after vulnerable individuals like children or the elderly. Do you find that to still be the case?
J.D. Whitlock: Well, no, obviously the bad guys are doing everything they can. Uh, mostly, you know, mostly they're out to, of course, make, make a buck. of course you also have the threat for nation state actors and advanced persistent threat and all that kind of stuff. Uh, and then you also have, based on.
Sometimes the attacks are very sophisticated. Sometimes they're not terribly sophisticated and sometimes it's script kitties or you know, people just banging on whatever they can find to, to bang on and some, but sometimes there's like spearfishing, you know, and, and our executives and that kind of thing.
So it's the whole, it's the whole spectrum, um, of all that. But no, they certainly don't stay away 'cause it's a children's hospital. No, definitely.
Megan Garza: unfortunately. What is your most dreaded type of [00:05:00] cybersecurity attack?
J.D. Whitlock: so going back to the ransomware scenario, um, and it's, it's, it's what they get into with the ransomware, right? So obviously we don't want any ransomware, but if ransomware got onto, for example, an individual PC For one of our employees that this does not have any elevated credentials. Um, and we all, our alerting, you know, technology, alerts us to that quickly.
That's still bad. We still failed on several levels that, that, that, that happened. But it's not necessarily an existential threat. We can, we can obviously correct the situation and, and, re-image that PC and, and, uh, obviously kick the bad guys out, uh, reset password, all that kind of stuff. so it really, it's really about how far, the bad guys can, you know, warm their way into the back end of things when you, when you see really bad.
Ransomware [00:06:00] attacks. They, they, they typically, they've successfully gotten their, gotten into the back end of the, you know, VMware or what, whatever it is you're running your, uh, data center on. That's, that's, that's the worst scenario.
Megan Garza: Yeah. And in addition to managing cybersecurity, you're also responsible for infrastructure data services, PMO. What made you wanna go into information technology?
J.D. Whitlock: I certainly didn't start out in information technology, so I'm a retired military. started out as a, uh, naval officer, did, um, I. Naval officer things, driving ships around for a while. Then I, did a Master's in healthcare administration. It's really gotten into healthcare administration, swapped to the Air Force, did that, uh, healthcare administration in the Air Force.
And then, after I've been doing that for a little while, um, got into the IT side of healthcare administration and, but now I've been doing that for a really long time, like 25 years. so kind of came to it in sort of a, a roundabout fashion. I guess the question is why did [00:07:00] I, why did I stick with that?
Uh, because it's really fun. It's always challenging. It's never boring. you know, you get to, um, you get the, the, the reward of, helping the, all the caregivers, take care, take care of patients. and um, as I always, tell my team, you know, healthcare, it is not, if you want to be the hero, don't.
Go into healthcare, it, go to medical school or nursing school, um, we're, we are, we are here to, to support our caregivers. There's not a whole lot of, there's not a lot of glory in that. Um, but it's certainly, it's certainly a rewarding, uh, career, uh, in terms of being excited to come to work every day.
So.
Megan Garza: And speaking of your, your team, what do you look for when hiring new team members?
J.D. Whitlock: so that's a great question and it is, um, obviously dependent on the position. Of course, we, we always look for a great culture fit. Every organization cares about culture fit. um, you know, we, we do a really nice job promoting from within.
On the, on the [00:08:00] tech team side, we are almost always looking for, uh, some entry level positions to come into our service desk or field support, uh, team.
And, uh, and these folks, uh, sometimes they have a degree, but oftentimes they don't. We don't expect them to. And just yesterday I was talking to a, um, uh, some seniors in high school that are in a IT vocational program, uh, because you know, we'd love to hire some 'cause they're coming out of that program.
When they graduated from high school, uh, with, with typically like an a plus and sometimes even a security plus certification, which is exactly what we're looking for, uh, for those positions. Um, uh, so that's one answer. switching to the Epic side, the majority. Our Epic team, our, our nurses who used to be nurses at Dayton Children's, we do a lot of hiring from within, within our nursing staff.
And, and I'm proud to say that we, we score a very highly on, uh, the arch collaborative EHR satisfaction [00:09:00] survey.
Megan Garza: Mm-hmm. Mm-hmm.
J.D. Whitlock: And we, we win the award that they give out for that. It's called the Pinnacle Award. And now that is certainly multifactorial. Why we do well at that, and it would be a whole separate, we could do a whole separate podcast on that.
But if I to, uh, one reason I think that we do well is because of that, because so many of. our team that are doing the actual Epic bill to support our caregivers used to be one of those caregivers, and so they, they really understand their
Megan Garza: That perspective. Yeah.
J.D. Whitlock: yeah.
Megan Garza: And when you mentioned, you know, bringing folks on at entry level positions, what does it take for them to become a successful security leader?
J.D. Whitlock: Our small cybersecurity team, of, of six people, Two people out of those six came, Came externally. Uh, one of 'em was a, uh, actually IR cso, uh, a retired Air Force, cybersecurity, uh, operator. Um, and so he was, he was new to [00:10:00] healthcare, but he knew a whole lot about, operationally, uh, protecting, the network. I'm certainly not the first person to say this, but all the good security people were network people first. You kinda under, you sort of need to understand how the network works before you're in charge of protecting the network.
Megan Garza: Makes sense. Yeah.
J.D. Whitlock: Yeah. and so, so once again, po position dependence and obviously, uh, you hire, you hire the rate, the rate skillset for the, for the job.
So.
Megan Garza: Sure, and I mentioned a little bit about your volunteer work and and passion for serving and outside interests. If you weren't in technology, what would you be doing?
J.D. Whitlock: if I weren't in technology and retired, or if I weren't in technology and not retired,
Megan Garza: Let's do both.
J.D. Whitlock: uh, well, if I was retired, which I hope to be in, you know, six or seven years here, um, I would be probably doing more volunteer work and, um, let's see, reading more, going for really long walks every day. Um, things like that.
Um, if I were not retired, what else would I be doing? That's [00:11:00] hard because believe it or not, I really love my job
Megan Garza: That's good.
J.D. Whitlock: so, uh, don't really want to do anything
Megan Garza: Well, that's good then. Then where you are is where you should be.
J.D. Whitlock: Exactly.
Megan Garza: you're doing what you love. So
J.D. Whitlock: Yeah. You know, you mentioned creative stuff, and you mentioned that I had sort of dabbled in some of that, uh, like the web stuff, I like that. I like the creative stuff. However, I. I think it's completely different if your, if your main gig is creative. I think that totally, that totally shifts the joy of
Megan Garza: Oh, yeah,
J.D. Whitlock: instead of doing it on the side.
So I, I enjoy creative side, but I would not to want to do creative things, uh, for my paycheck, depending on, first of all, 'cause I probably wouldn't make a very good paycheck. Um, and secondly, because I want to keep the joy of it. I
Megan Garza: Yeah. And be like, if every meal you had was ice cream,
eventually you'd be like, I can't, I can't do this anymore.
J.D. Whitlock: For sure.
Megan Garza: Well, thank you so much for your time, jd. I really appreciated it. for our audience, if you're interested in being a guest on Speed [00:12:00] Data, visit varonis.com/speeden data. Thank you again, jd.
J.D. Whitlock: Thanks, man.