table experts cybersecurity & risk management · service that we need — such as 24/7 security...

8
SPONSORED BY ARE YOU PREPARED? CYBERSECURITY & RISK MANAGEMENT TABLE of EXPERTS MARCH 30, 2018 B1 ADVERTISING SUPPLEMENT TO THE KANSAS CITY BUSINESS JOURNAL

Upload: others

Post on 22-Jul-2020

2 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: TABLE EXPERTS CYBERSECURITY & RISK MANAGEMENT · service that we need — such as 24/7 security monitoring or pen testing — and compare the cost and performance of that service

SPONSORED BY

ARE YOU PREPARED?

CYBERSECURITY &RISK MANAGEMENT

TABLE of EXPERTS

MARCH 30, 2018 B1ADVERTISING SUPPLEMENT TO THE KANSAS CITY BUSINESS JOURNAL

Page 2: TABLE EXPERTS CYBERSECURITY & RISK MANAGEMENT · service that we need — such as 24/7 security monitoring or pen testing — and compare the cost and performance of that service

ADVERTISING SUPPLEMENT TO THE KANSAS CITY BUSINESS JOURNALB2 MARCH 30, 2018

CYBERSECURITY& RISK MANAGEMENT

Kris Drent CEO and Principal Consultant Security PS

Jake GibsonChief Security Officer/ Chief Compliance Officer LightEdge Solutions

Patrick O’Boyle Partner MSP Consulting

John Eden Director of Engineering Technology Group Solutions

Kara Lowe Chief Operating Officer KC Tech Council

MODERATOR PANELISTS

As chief operating officer, Kara Lowe manages KC Tech Council’s relationships with investors,

representing 150+ companies throughout the region, who contribute resources and expertise to advance the growth of KC’s tech industry. She helps direct the KC Tech Council’s efforts to elevate Kansas City as the leading tech hub of the Midwest, promoting workforce development initiatives and industry access for a range of companies covering all facets of the tech industry.

Kris Drent leverages his 20 years of cybersecurity experience to inspire confidence in people and organizations

of all sizes. As CEO and principal consultant for Security PS, Drent helps businesses take tangible steps to address risks and improve their cybersecurity posture so they can do business confidently. He and his team have a proven track record of applying leadership and technical skills to identify and address cyber risk across multiple industries.

John Eden helps businesses in an array of industries successfully manage cybersecurity and

technology challenges. His 16-year career includes extensive experience designing security systems, conducting internal audits and leading information security initiatives for one of the world’s largest construction and engineering companies. Eden offers clients creative solutions to help them achieve their business goals.

With more than 20 years in the information technology field, Jake Gibson brings a proven record

of leadership excellence and extensive experience in process improvement to LightEdge. He has served in IT leadership positions across several industries, including health care, insurance, pharmaceutical and food. Throughout his career, Gibson has been involved with aligning security and compliance initiatives with business objectives. With his cross-industry background, Gibson focuses on developing, implementing and supporting LightEdge’s strategic security and compliance vision.

Patrick O’Boyle is a partner of MSP Consulting and has more than 20 years experience advising

businesses in the areas of payment services technologies, with experience working across numerous industries, from startups to Fortune 500 businesses. MSP Consulting specializes in payment fraud prevention and cost containment to help businesses take the appropriate steps to protect their bottom line.

Page 3: TABLE EXPERTS CYBERSECURITY & RISK MANAGEMENT · service that we need — such as 24/7 security monitoring or pen testing — and compare the cost and performance of that service

ADVERTISING SUPPLEMENT TO THE KANSAS CITY BUSINESS JOURNALMARCH 30, 2018 B3

D ata has surpassed oil as the world’s most valuable resource, according to a May 2017 article in The

Economist. Business owners and managers are all too aware that any valuable resource attracts bad actors. Ensuring that data is both accessible and protected has become an essential — but often daunting — business function, one that goes well beyond the IT department.

Area cybersecurity experts provided insights about successfully managing data security and privacy issues during a recent discussion hosted by the Kansas City Business Journal. Kara Lowe, chief operating officer of KC Tech Council, moderated the discussion designed to help Kansas City businesses — from small to large — prepare for breaches and contain the damage they cause.

Kara Lowe of KC Tech Council: What advice would you give to businesses that are in the early phases of building a cybersecurity risk management program?

Kris Drent of Security PS: We are working with a lot of businesses in this position, and while there are a number of best practices that are foundationally helpful and important, we’ve noticed two pitfalls that are common in the early phases. The first is the temptation to address data security as primarily an IT problem. This pitfall will result in a security program that is limited in scalability and effectiveness to protect the company as a whole. So, one key is to remember that data security is a business function,

not just an IT function.Also, we strongly encourage

businesses to make sure they put effort into both big-picture security program elements and immediately practical elements at the same time. You need to be working on both. There is a lot of work, so it’s easy to get so caught up in one of these, that you never get to the other. Either they get caught up in the big picture frameworks and policies and never get to practical matters, or they start with tactical and never get the strategic part built to keep it aligned with business in the long haul. We help push on both tracks at the same time, which helps keep momentum going because they can see practical improvements along the way, but make continued progress on establishing the bigger vision.

Lowe: Jake, in your mind, what are the key elements that constitute that fine-tuned cybersecurity front?

Jake Gibson of LightEdge Solutions: It all comes back to the individual business and the business risks that they have. Manufacturing is a lot different from health care; health care’s different from anybody in the payment card industry. So you really have to look at it from your business perspective and analyze what your strategic risks are.

John Eden of Technology Group Solutions: I’ve seen many companies jump in and say, “We’re going to start a security

department.” So they take their lead network or systems person, make him or her the security manager and jump into applying technology solutions. Before they know it, they have dozens of different technology solutions in place and more vendors pounding on their door than they know what to do with it. This results in low utilization rates and resource constraints.

To Kris’s point, take some time to plan out your business risks and get the right partner to help you walk through what a sustainable and effective security operation looks like. You don’t want to get two years down the road and realize you’ve spent a lot of money and still have gaps in your posture.

Lowe: The options for outsourcing security functions continue to increase. Under what circumstances should a company consider outsourcing that security portion?

Eden: My philosophy is that if you can’t do it better and cheaper, then you should at least consider what other options exist. So typically, the companies I’ve worked for would bring in a couple of different partners, look at the service that we need — such as 24/7 security monitoring or pen testing — and compare the cost and performance of that service versus what we could do internally. We would then make it a business decision.

What we found is when we’d use the outsourcing model, it was

really important to continually evaluate to make sure that service was giving us the value we needed. It was also important to find a partner who would share information about how they performed their services so that we always had options. In a lot of cases, we would find after three or so years, we had new requirements or the skill set of our team had grown enough that we could take it back in-house. So I think it’s not a “set it and forget” model but something that requires continual evaluation and a partner that has your long-term interests at mind.

Drent: Outsourcing has a lot of benefits, particularly for the tasks that require specialized skill and a depth of background knowledge. Find people who specialize and do it well — that’s a value of outsourcing. But what you can’t outsource is knowledge of your business and accountability.

Some businesses try to outsource accountability by saying, “Good, you take it, and we won’t have to think about it.” It’s actually the opposite, in some respects. Yes, you find partners who will take care of the daily functions that you don’t have the time or expertise to do. But, you have to make sure these outsourced functions effectively boil up relevant risk management information so that upper-level business leaders can be informed when making decisions.

Outsourcing shouldn’t compartmentalize security in a way that makes the function or status

ADAM VOGLER

CONTINUED ON PAGE B4

CYBERSECURITY& RISK MANAGEMENT

Page 4: TABLE EXPERTS CYBERSECURITY & RISK MANAGEMENT · service that we need — such as 24/7 security monitoring or pen testing — and compare the cost and performance of that service

less understood. If done right, it should increase visibility and make security information more accessible to leadership. They need this visibility because ultimately, they are accountable for the business.

Patrick O’Boyle of MSP Consulting: Our perspective is a little different because our clients are businesses that accept card payments primarily. There are two types of issues they have to worry about. One is data compromise — protecting themselves from a breach of some kind. The second concerns fraud and what happens with that data once it has been compromised. Often, compromised data is used to steal goods and services from other businesses. This is how many businesses lose revenue to fraud.

We work to educate our business clients to not abdicate that responsibility since they own the risk. If you allow a fraudulent sale to go through and you don’t have the measures in place to block it or catch it, you’re ultimately going to be the one out the goods and services and out the money. So you still need to own the accountability.

Lowe: So it’s clear you can’t silo out your cybersecurity plan. It’s not something you can set and forget. But you have to make sure your systems are set up to withstand these types of attempts

from bad actors. Third-party IT security penetration tests have become a staple. So Kris, what advice would you give for ensuring that businesses get value out of these types of third-party security assessments?

Drent: Many people don’t realize that there are different types of assessments that are designed to achieve different goals. For example, a vulnerability assessment is designed to systematically find and enumerate vulnerabilities in an environment, whereas a penetration test is designed to test the effectiveness of security controls and defenses. To the casual onlooker, these may sound similar, but to a company putting effort and money into progressing a security program, it really pays to use these at the right time and to the right scale.

So my recommendation is to consider what goals are most important to your organization at that time and discuss these with the third-party assessment firm. Is it for compliance? Is it to validate vulnerability or patch management methods? Is it to find areas in which your security program is weak?

If the third party isn’t helpful in considering these kinds of goals, then it’s likely you’ll lose a lot of value in the assessment provided. So, consider your goals, and work with a third-party security services firm that can help you align the assessment type with your highest

priority goals given your maturity.

Lowe: As this industry evolves, compliance standards continually change as well. Jake, how can companies stay ahead of the game when it comes to these kinds of compliance issues?

Gibson: I agree that you need to work with your partners, your outsourcing companies, and kind of aggregate that knowledge. If we just point fingers as to who’s responsible and not work together to look at it holistically, we’re not going to succeed. When it comes to these compliance standards and regulations, they are a checklist of sorts that we have to go through. But it is important to be forward thinking and work with your partners to understand everyone’s roles and responsibilities.

O’Boyle: Every company that accepts credit card payments has to prove it is compliant with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards designed to ensure companies that accept, process, store or transmit credit card information maintain a secure environment.

You may be complying with those standards, but is the vendor you’re using compliant? What about the PC you’re using in your office? What about the employees you have? Are they educated and trained?

It’s about the policies and

procedures as much it is about technology. The problem is this requirement seems extremely daunting for most businesses. Less than 50 percent of businesses are doing what they need to do to protect cardholder information.

Drent: And that’s the minimum, right? With PCI DSS, the industry is being very prescriptive and explicit on how you comply. But I don’t think they really incorporate that continual improvement piece in PCI like some of the other compliance regulations do.

With any compliance standards, you have to ensure you’re meeting them, but you have to be looking ahead to what you will need in the future.

O’Boyle: Large corporations typically have an IT staff, so they have resources to address PCI compliance. But what about the local coffee shop or the small manufacturer? They may have outsourced PC and network maintenance to a small IT firm or do it themselves. Now they have this daunting ongoing requirement to prove PCI DSS compliance, and many of them just think, “I don’t have time for this.” It leaves their business open to risk.

Lowe: In addition to compliance standards, more and more clients are asking for some specificity in what the companies that they’re working with are doing regarding compliance. What advice would

CONTINUED FROM PAGE B3

ADVERTISING SUPPLEMENT TO THE KANSAS CITY BUSINESS JOURNALB4 MARCH 30, 2018

ADAM VOGLER

CYBERSECURITY& RISK MANAGEMENT

Page 5: TABLE EXPERTS CYBERSECURITY & RISK MANAGEMENT · service that we need — such as 24/7 security monitoring or pen testing — and compare the cost and performance of that service

ADVERTISING SUPPLEMENT TO THE KANSAS CITY BUSINESS JOURNALMARCH 30, 2018 B5

you give businesses to show clients they’re on top of things?

Drent: Yes, vendor management is a big topic, and those requests are continuing to grow. Up front, it helps significantly if you have a security program that defines the specific risks your company must manage. It sounds obvious, but a useful side effect of having that defined is that you can then directly determine which of the questions coming from clients or vendors are actually in scope for your business and which are not. If you don’t handle card payment or HIPPA data, then it’s extremely helpful to know those things are out of scope and not spend resources trying to meet those demands. Scope matters.

Eden: In addition, I’d say the biggest thing that I tell people is just be transparent. I see way too much hiding going on in this space. People are afraid to talk about what really needs to be talked about. Problems just get masked. Last I checked, problems don’t get solved unless you understand what the problem is.

My biggest advice to people is to build trust with your stakeholders. In my experience, stakeholders appreciate you telling them: “Hey, we’re not perfect. Here are our gaps, but here’s what we’re doing

to address those.” Then you put a plan together and execute on it. Usually, your stakeholder is going to be happier with that approach than with you not telling them or giving them fluff.

Drent: We see people get into the rat race of responsiveness. They get these questions, and they spend all their time trying to come up with good answers. Put those resources into actually building a good security program. Then, you can be confident in your answers and be transparent.

I also tell people that it’s OK to say: “We’re working on that. Here’s our plan.” That’s an acceptable answer.

Eden: It’s one of the best answers. Last I checked, threats are changing every day. If you think you have everything covered, you’re probably in for a big surprise.

Lowe: Do you think this transparency also becomes extraordinarily important if a breach occurs?

Drent: It is better to be the one to communicate with those trusted partners about the issue, because they are exposed, too. They have to

CO NTAC T U [email protected] | 913.890.4900 | www.getmspadvantage.com

YOU M ANAGE YOUR BUS INESS .WE ’LL M ANAGE YOUR PAYME NTS .

To defend against online payment fraud, you need to know what you’re up against. That’s why at MSP Consulting we educate our clients on the unique risks they face with payment acceptance. 

PROTEC T YOUR BUS INE SS FROM:Cost overruns • Fraud • Punitive contract terms

CONTINUED ON PAGE B6ADAM VOGLER

CYBERSECURITY& RISK MANAGEMENT

Page 6: TABLE EXPERTS CYBERSECURITY & RISK MANAGEMENT · service that we need — such as 24/7 security monitoring or pen testing — and compare the cost and performance of that service

ADVERTISING SUPPLEMENT TO THE KANSAS CITY BUSINESS JOURNALB6 MARCH 30, 2018

make risk management decisions on that. So to not be transparent would be to put them at risk, and it is not going to help your business in the future.

How you reveal that information is important. Doing it well requires a plan so that you don’t put the business at risk unnecessarily.

Gibson: Transparency’s important. There is a fine line, though, between transparency and trust, and proof and validation. Trust but verify. If they say they’re doing something, can they show you how they’re doing it? Can you or someone else validate that they are doing it correctly?

Lowe: How do you manage the costs of security?

O’Boyle: We try to help clients understand the intent of the security regulations and how to balance the business’s risk mitigation with the costs actually needed to meet that requirement. A business should bring in others to help assess the business needs and to make sure you’re doing the right things.

Eden: It comes back to risk priority and understanding the business risk, not just the IT risk. You have to have sponsorship from the CEO and throughout the company to really understand and diagnose those risks and prioritize them. That’s where a business manager might say: “This is where I need to put my money first and foremost. These other steps might be important, but they’re going to take a backseat until I get these bigger concerns taken care of first.”

Drent: When working to manage costs of security, this is where having a security program that is risk-based is so important. One size or shape of security program does not fit all businesses. Just doing what other companies do will often result in overspending on protecting things that aren’t as important to your company and possibly not protecting against risks that are critical to your business.

This is where the risk assessment process is helpful and should continuously shape your security program. Knowing what data, systems and functions are most risk-sensitive in your particular business allows you to focus resources in those areas, rather than incur the costs of trying to secure everything to the same degree. Being risk-informed helps make cost-saving decisions, such as reducing the scope of regulated data or increasing risk tolerance thresholds where it is appropriate. Again, this is specific to the business and ensures resources are targeted effectively.

Gibson: Otherwise, you end up where John was talking about earlier with a whole bunch of solutions thrown at a problem that they might not even have. You might end up with three different

anti-malware programs running on your network when you only need one.

O’Boyle: You often hear about the big data breaches. And you can throw a lot of technology at the issue to secure your company. But often the basic policies, procedures and education internally matter most. You could have the greatest security mechanisms and technologies in place and still have a disgruntled employee who writes cardholder information or ACH banking information on Post-it notes and uses the stolen data to commit fraud.

Eden: I am always reminded that CEOs and boards factor money into most of their decisions, for the most part. It drives the bottom line. You have to look at cybersecurity in that same way. One of the biggest things that has to change over the next five years in this space is that boards and heads of companies need to understand the risks that they are taking on in the IT space.

We’ve done a disservice to our company leaders by not fully helping them understand what is happening in this world. Too often we’ve been asked to dumb things down, to analogize. But as data security and IT are becoming a bigger part of the conversation,

I think it is our job is to help educate the leaders of companies in America about what is actually happening. I think the companies that take this as seriously as evaluating their financial statements will be the companies that spend less on cybersecurity and have strong security postures.

Lowe: Can you explain a common situation a business encounters related to credit card payment fraud?

O’Boyle: Definitely. This problem can be broken into two pieces. First, you need to protect the customer data, which includes cardholder data. Good infrastructure and good training are critical.

Second you have to protect your business from accepting fraudulent payments. And that’s where many businesses lose money.

Fraudulent information, or stolen information, is used to buy goods and services in person, over the phone and through the internet. Everything looks good to the business. It looks like a valid sale, so you ship the product or render the service. It’s not until weeks later that the actual business or individual whose card information was stolen sees something come through on their

credit card statement and says, “That wasn’t me.” They contact their credit card company and 90 percent of the time, they get their money back, which is called a charge-back.

As a result, the business that accepted the fraudulent card has already lost the product or service, and now they get the money ripped out of their bank account because it’s proven as a fraudulent sale. The business owns the risk in almost every case.

Lowe: We live in a very bring-your-own-device world now. And with an estimated 60 percent of cyberattacks originating from within the company, how can companies educate employees with varying levels of knowledge in the space? What is the best way to stay alert?

Gibson: Simple, quick messages. Information security should be everywhere. But if you just give them little bits of information and real-world examples, I think that brings it home. We do monthly newsletters. We send out an email and explain the incidences our clients are reading about in the news. This is how it happened, and it was an internal employee who ended up causing this breach. We show clients why they need to pay attention to this. The big question is why. Why do I as an employee have to be aware of this?

Eden: Well said. We also try to relate this to their personal lives. We’ve been able to partner with security technologies to provide their solutions to our employees’ families. It makes it more real and is added value. Then employees listen more closely to the story, and I think it sinks in better.

Drent: Security education is big because in the end, it’s a people issue. You can build security into processes, and you can harden technology. But people are the hardest to secure because we don’t operate on a concrete program or configuration. It takes training, practice and reinforcement. But that type of training is key — small digestible concepts and practices that are very practical and hit home. All the training needs to be people-oriented, not just technology- and process-oriented. Don’t ever underestimate the value of in-person, security education to make it personal.

Employees need to be trained on the process and technology. But don’t forget the human element. That’s where we see a lot of business risks go unchecked.

Eden: People will always be one of the weakest links in your chain. For years, I have worked with an organization that was highly concerned about security. And they had extensive training programs. But they never said that they would get any better than a 70 percent pass rate. Even with all of the security training and testing, they are always going to have a 30 percent failure rating.

This is in part due to the fact that they are always looking

CONTINUED FROM PAGE B5

ADAM VOGLER

CYBERSECURITY& RISK MANAGEMENT

Page 7: TABLE EXPERTS CYBERSECURITY & RISK MANAGEMENT · service that we need — such as 24/7 security monitoring or pen testing — and compare the cost and performance of that service

into ways to make their testing tougher. Keep in mind that this is an organization that just to get in the building, you had to go through three different security checkpoints physically.

So I think you always have to accept that users will take it so far, but they have their day jobs, and they have other things to worry about other than just security. And so the question is, how do you augment that? How do you address that huge 30 percent gap? I think the answer lies in technologies, such as user-behavior analysis, that look for patterns that don’t smell right, and having the right policies and controls in place.

Gibson: The harder issue is the malicious employee. That’s almost impossible to guard against. Limiting access to card and account data is important as is encryption. If you leave information around unencrypted, you will eventually have a malicious employee who will go get access to that data.

Drent: It’s been said for years, but there is truth to it: It’s not a matter of if your data will be compromised, it’s when. The value of this mindset is that it helps you realize that you can’t put all of your money and time and effort into defenses only. It’s also critical

to plan for how you are going to respond, recover and keep moving.

To do that, you need a well-thought-out security program and somebody who’s leading that charge with business-forward thinking, making security a priority. Even for smaller businesses, resources like the NIST CSF are helpful for evaluating whether they are covering these key functions in their business. You need to be able to do all of those functions at some level.

Regardless of the model or framework you use, get help if you have significant gaps in these functions. Don’t get so stuck on defense that you overlook the importance of planning for handling breaches after they occur.

Lowe: Blockchain, AI, cryptocurrency — what do you think the biggest shift within your world of security and risk management will be in the next five years?

Drent: There are definitely some cool technologies emerging. What’s fascinating about the ones you mentioned is the variety of practical applications we’re already seeing them in.

I tend to roll my eyes at many of the buzzword-inflated blockchain conversations that pop up, but there are definitely applications

of blockchain technologies beyond just cryptocurrencies — some of which have significant data-security possibilities yet to come.

I have a background in AI, and this field has recently hit a new acceleration point in practical applications, so it’s a fascinating time. While I’m looking forward to how this will change and accelerate aspects of cybersecurity, ultimately it will be a technology that helps us apply the fundamentals we’ve been talking about. So, in business, I’ll be keeping my eye on these fundamentals.

O’Boyle: In some ways, we are already using cryptocurrencies. How often do you use hard cash or write a check? All these plastic cards in our wallets just provide the 16 digits needed so you can pay for something. The card data can even be tokenized within your phone, and you never touch the credit card. We are already there in many ways.

Soon we won’t even be carrying around all these cards in our pockets. There will be no need to because the tokenized payment information will be stored and triggered by your retina or a fingerprint, similar to Apple Pay and Google Pay. These technologies, called biometrics, can even be used

for online payments making the authentication much more secure — you know that person authenticated that transaction.

Eden: Again, I hope that we’ll see more education in companies of all sizes and at all levels of the organization. Everyone needs to be more aware and willing to learn about cybersecurity issues. I also think security will start to become more of a contractual business concern — to the point where the security terms will be just as important in contractual negotiations as the financial terms are.

Drent: It also has a social effect. Our social lives are often as digital as they are in-person. In some ways, we as individuals face many of the same cybersecurity concerns as our businesses. When I’m doing security training, I usually demonstrate some of the attacks that we see regularly in the field, and often people start asking me: “Knowing what you know, how can you bring yourself to do anything online?” These risks affect everyone, and left unchecked, it could drive us to live in fear of these risks.

But there is hope, and that’s part of why we do what we do. We want to be part of that solution.

ADVERTISING SUPPLEMENT TO THE KANSAS CITY BUSINESS JOURNALMARCH 30, 2018 B7

1.877.771.3343 - www.lightedge.com

Delivering highly secure, compliant and controllable IT services.

CYBERSECURITY& RISK MANAGEMENT

Page 8: TABLE EXPERTS CYBERSECURITY & RISK MANAGEMENT · service that we need — such as 24/7 security monitoring or pen testing — and compare the cost and performance of that service

ADVERTISING SUPPLEMENT TO THE KANSAS CITY BUSINESS JOURNALB8 MARCH 30, 2018

TOPICS PUB. DATE

Women in Finance Apr. 20

Eco-Business – Going Green to Save Green Apr. 27

Veterans in Business May 25

The Future of Health and Wellness Jun. 15

The Economy of Animal Health Jul. 20

Mergers and Acquisitions Aug. 31

ESOP – A Win for Everyone Sep. 14

A.I, Crypto Currency and Automation...What’s next? Oct. 5

Estate and Succession Planning Nov. 9

Health Care Dec. 14

*Topics and publication dates subject to change

JOIN OURTABLE OF EXPERTSADVERTISING SUPPLEMENTS TO THE KANSAS CITY BUSINESS JOURNAL

ADVERTISING SUPPLEMENT TO THE KANSAS CITY BUSINESS JOURNAL

H ow do the stakeholders of the Kansas City health care industry deliver better care?

Representatives of health care payers, providers and partners gathered recently at the Kansas City Business Journal to discuss this question and many other issues related to health care in the region. Publisher Stacie Prosser moderated the discussion, which touched on technology, partnerships among health systems and new care delivery models.

Stacie Prosser of the Kansas City Business Journal: What is the state of health care today?

Vickie Franck of Shawnee Mission Health: Health care today is extremely complex. The health care industry is constantly evolving, and millions of Americans are uninsured. In addition, the governmental regulatory burden placed on health care systems and providers continues to increase and constantly change. Everyone in the health care industry is challenged with these changes and understanding the transition from volume-based to value-based reimbursement. Shawnee

Mission Health (SMH) has worked closely with several large health care organizations and independent companies, such as Spira Care and Centrus Health, both of which are innovative care delivery models completely based on this transition of higher quality, lower cost care to meet this challenge.

Prosser: Dr. Sweat, what are some of the most critical challenges?

Greg Sweat of Blue Cross and Blue Shield of Kansas City (Blue KC): One is government regulations which seem to be growing in influence. The second is technology. There are some amazing technologies that are coming out for patients and for physicians as diagnostic tools. Our obligation is to ensure that new technology is based on evidence while also rapidly integrating it into care as fast as we can.

Third, we have to figure out how to maintain the level of care we have now and not continually escalate price as rapidly. The average specialty drug costs more today on an annualized basis than the median family household

income. That’s unsustainable. Consumers are also driving

change. We need to deliver health care in ways that are the least disruptive in patients’ day-to-day lives.

The last one may be the biggest: data. How do we share data more rapidly and more efficiently? From a patient standpoint, we’d like to be able to share all of our payer data and hospital data in one spot, but that just doesn’t seem to be possible today due to regulations. How we utilize data and elevate it to a transparent level in the future is going to be really critical.

Prosser: Matt, how do these challenges affect the health care construction industry?

Miller: They mentioned two key challenges that are affecting health care construction: project delivery methods and managing costs. The typical design-bid-build process involves a lot of time — you have to work with users, create a design, go to the market and bid before you start building. With construction costs rising 3 to 5 percent a year, streamlining the process helps manage overall costs. To do that, we need to be more collaborative earlier, so that we can provide feedback and adapt to changes early in the process.

Prosser: Are you seeing changes in where patients are getting their care?

Miller: Yes. The trend is still to get the health care closer to the communities they serve. In addition, recently, we’ve seen a lot more health providers look at actually building projects closer to the main campus. Towers are being planned and built in order to move existing care areas to the new construction. This allows for renovation of the existing care areas to take place. I still think the trend is to try to get as much specialty care that you can within a certain radius, but then still be able to provide that service on the main campus.

Prosser: How do health systems determine where to create patient care clinics?

Franck: We look at the market need related to distance to health care services. Patients want to have care close to home. This is especially important in rural communities. Health care systems are partnering with hospitals and physicians in smaller rural communities to provide as many services locally that we can for their community. One example of this

is the recent partnership between SMH and Ransom Memorial Hospital to offer specialized cardiac care in Ottawa.

Prosser: Addressing the needs of rural communities seems to be a big issue now.

Miller: It is. We’re doing one project in rural Kansas that just needed to upgrade. They are really looking at the clinician spaces so that they can deliver many services there. Additionally, their operating rooms and imaging areas were very out of date. As you travel around Kansas, you can definitely see construction at rural facilities all try to keep up with the changes in how health care is delivered. All hospitals have to upgrade their facilities to adapt to new technologies, whether they are in rural areas or here in Kansas City.

Sweat: Technology on the physician side is also driving change. Not too many years ago, it would have been unheard of to perform a knee scope outside of a hospital operating room. Most of the procedures today are performed in ambulatory surgery centers. However, some physicians in the community are beginning to do knee scopes through needles in their offices. That’s innovation.

Moving the site of service from the hospital to the ambulatory surgery center to the office offers cost savings, and it makes the process less cumbersome for patients. I would imagine over the years you will see clinic sizes shrink as physicians start to do outreach through technology. As a patient, why do I have to come in for you to tell me that my labs are normal? If I can talk to my provider by phone to address my treatment issues, why wouldn’t I do that in the comfort of my home?

Miller: I agree. Lately, we’re building a lot more for future expansion, like shell spaces. Because there is kind of that unknown of what that service is going to be in a couple of years, those rooms have to be easy to adapt. Then we can let their future use dictate how we build that space out.

Prosser: How is technology affecting the health care construction industry?

Miller: I think the biggest things we’ve see in construction from technology are 3-D building information modeling (BIM) and virtual reality. Ten years ago when we first started doing BIM on projects, we were building it

C2 FEBRUARY 9, 2018

INNOVATION AND COLLABORATION KC’S PRESCRIPTION FOR BETTER HEATLH CARE

Making Healthcare Work Better For You

©2018 Blue Cross and Blue Shield of Kansas City is an independent licensee of the Blue Cross and Blue Shield Association.

Blue KC is a company made of people committed to

putting the health of our members first. We strive

to create innovative, patient-focused solutions that

deliver higher quality care while keeping your bottom

line in mind. Discuss options with your broker today.

GETTY IMAGES

INNOVATION AND COLLABORATION: KC’S PRESCRIPTION FOR BETTER HEALTH CARE

FEBRUARY 9, 2018 C1ADVERTISING SUPPLEMENT TO THE KANSAS CITY BUSINESS JOURNAL

SPONSORED BY

Greg Sweat Matt Miller Vickie Franck, MHA, RN, BSN

EXECUTIVE DIRECTOR, HEART AND VASCULAR SERVICES

Stacie Prosser

PANELISTSMODERATOR

PUBLISHER/ MARKET PRESIDENT Kansas City Business Journal In her role as Market President and Publisher, Stacie Prosser leads the KCBJ team to execute our mission of helping local executives and entrepreneurs grow their businesses, advance their careers and simplify their professional lives. She has been with the KCBJ for more than 20 years and served in both sales and management roles prior to being named to her current position in 2014.

Shawnee Mission Health Vickie Franck is responsible for ensuring quality cardiovascular care to the Shawnee Mission Health (SMH) community and surrounding counties. Through multidisciplinary collaboration, Franck led the development of the SMH electrophysiology, heart failure and structural heart programs. She oversees the cardiovascular service line, including inpatient and outpatient departments and clinics strategic planning, service excellence, physician alignment and daily operations. In her previous role as executive director for Cox Health and Indiana University Health System, she led the development of the Wheeler Heart and Vascular Center, the South Central Indiana regional STEMI program and achievement of multiple accreditations and cardiovascular awards.

HEALTHCARE PROJECT EXECUTIVE Turner Construction Matt Miller is Healthcare Project Executive for Turner Construction in Kansas City, Mo. He started his career with Turner Construction in Nashville, Tenn., which is also the location of Turner’s Healthcare Office. Because of this, Miller has been able to work closely with other health care professionals across the area. He has worked on several of Turner’s high-profile health care projects, such as Owensboro Medical Center Replacement Hospital in Owensboro, Ky., and Middle Tennessee Medical Center Replacement Hospital in Murfreesboro, Tenn. Locally, he lends senior leadership to Turner’s health care clients as they continue to grow and support the market.

VICE RESIDENT & CHIEF MEDICAL OFFICER Blue Cross and Blue Shield of Kansas City Greg Sweat is responsible for helping the company provide value to its members, partners and the community through innovative and efficient patient care of the highest quality. In his previous role as chief medical officer at the Shawnee Mission Physicians Group, Sweat directed all facets of the multispecialty group’s services consisting of more than 100 providers in 25 practices serving more than 225,000 patients per year. He also taught as an assistant professor in the University of Kansas’ Department of Family Medicine and served as a consultant in the Mayo Clinic’s Department of Family Medicine.

TABLE of EXPERTS

The Kansas City Business Journal “Table of Experts” discussions offer a unique opportunity to present your company and its leaders as industry experts. This discussion, which appears

in a special section of the weekly printed paper, will also profile your corporate leader and position him/her as an expert in the topic of discussion.

For more information, contact Ahmed Shalabi at [email protected] or 816-777-2206.