When it comes to keeping UNC Health Care secure, connected medical devices are top of mind for Dee Young, the organization’s chief security information officer. But she doesn’t do all the work alone; Young relies on her security team, which includes engaging with credentialed police. She likes to think of it as, “us against the world.” In this interview with Anthony Guerra, healthsystemCIO founder and editor-in-chief, Young explains how despite having great people to rely on, ultimately, the buck stops with her. “I joke with my teams that I don’t get the easy buttons,” she says. “I don’t get the ones that are just simple. I get the gnarly, the really hard ones, because everyone else has tried to figure this out.” In an era of staffing shortages, Young has had 100% retention of her team by hiring carefully, allowing for ownership and mastery of projects and encouraging a sound work/life balance.

LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 

Bold Statements

 … clinical engineering reports up through IT. We made that move about three years ago because of all the connected devices, and that’s been just a game changer in the cyber world for us.

 … one of the things we’ve done that has been really, really beneficial is we’ve done cyber tabletops. But we’ve done them at every entity with all of our leadership. And it’s not talking about the technical response, it’s talking about business continuity and clinical operations.

I think making sure, again, that with those work efforts I’ve done a little, had a little movement each week or each month, to make sure that I don’t look back in six months and realize, “Oh, I haven’t done anything.”

Guerra: Dee, Thanks for joining me.

Young:  Thanks so much for having me, Anthony. This should be a great discussion.

Guerra: I’m looking forward to it. Can you tell me a little bit about your organization and your role?

Young: Sure. UNC Health is an academic medical center. And we also have an integrated health system. We’re across the state of North Carolina; we have about 1,200 plus physician clinics and physician practices, and a really big tie with the University of North Carolina System.

Guerra: Very good. All right, I’m going to start out with an open-ended question here – just to see what’s top of mind for you, what are you thinking about?

Young: Always top of mind is medical device security. In healthcare, that’s such a key risk area for us. And I think all CISOs and security professionals in healthcare are really trying to get our arms around the proliferation of connected medical devices that are really pivotal for patient care and clinical operations. As you know, many of these devices are very precision-oriented devices that can be in the clinical setting for years and years and years. And a lot of times, their operating systems aren’t as robust as we would like in our industry. And so we deal with a lot of legacy operating systems that our clinical and business leaders still need to work and run. So we mitigate those risks quite a bit.

The other area that I think is really kind of top of mind for us right now is just getting our arms around some of the AI initiatives. Right now in the news, we’ve seen chatGPT and some of those other technologies that are really kind of getting a little more mainstream. And how do we set these up where, again,