Integrating security into the product development lifecycle is a tall order for any industry. It’s particularly challenging for healthcare, with its wide range of critical needs from HVAC systems to medical devices. Kevin Tambascio, director of cybersecurity data and application protection at Cleveland Clinic, juggles the need for constant vigilance and staying updated on fast-moving threats to hospitals.
Integrating security into the product development lifecycle is a tall order for any industry. It’s particularly challenging for healthcare, with its wide range of critical needs from HVAC systems to medical devices. Kevin Tambascio, director of cybersecurity data and application protection at Cleveland Clinic, juggles the need for constant vigilance and staying updated on fast-moving threats to hospitals.
In the latest episode of WE’RE IN!, Kevin discusses the importance of compliance and risk assessment, noting that while compliance with rules like HIPAA is crucial, it's equally important to pressure test controls against real-world threats. Ransomware targeting hospital data is the primary threat, while phishing and potential abuse of generative AI also pose significant risks.
Listen to hear more about:
[00:00:00] Blake: Welcome, Kevin. Thanks so much for joining me on the We're In podcast here.
[00:00:03] Kevin: Thanks for having me, Blake.
[00:00:04] Blake: So we often talk about vulnerability from a cybersecurity standpoint, right? How a software flaw or something that an attacker is trying to exploit, can actually cause problems for organizations. But in your line of work, you deal with a different kind of vulnerability and it's, you know, people are often coming to Cleveland Clinic at the lowest point in their lives and hoping to recover from, you know, sometimes life threatening conditions.
[00:00:28] How does that all change the stakes for IT?
[00:00:31] Kevin: Yeah, absolutely. Great question. I think everyone here feels that responsibility. Um, you know, within my team, we're with our responsibilities around data protection, application protection. We certainly see how important it is to protect some of the most sensitive details about our patients lives. We feel an enormous amount of trust with our patients.
[00:00:56] you know, In many cases, it's our own information. It's, it's our own friends and family and our own personal health information, that we're trying to protect. So we certainly feel that responsibility every day. When we look at how do we Keep these applications safe. Keep our data safe from attackers. We're thinking about that all the time. So definitely a different level of responsibility. I think we all feel that on our shoulders, but we also take pride in it and we use it for motivation to do our jobs every day.
[00:01:27] Blake: I was going to say we often hear about the stresses facing doctors who can work really strange hours and I hear tell of like 24 hour shifts sometimes. I don't know how they do it, but there's also a lot of pressure on both the confidentiality and especially the availability aspects of the old famous CIA triad relevant to your work.
[00:01:46] How do you deal with that pressure?
[00:01:48] Kevin: you know, like if we look at our main campus hospital, our Starbucks doesn't have doors on it. It's never closed, right? It's 24 7 operations. I mean, our clinicians work incredibly hard, have incredibly challenging roles. We always have to, you know, look at that balance. I mean, just like everything in cybersecurity is a balance, right?
[00:02:08] We could turn off applications and make them 100 percent secure, right? But certainly we wouldn't be enabling the business to do what it does. So I think like everything else in security, we, we always look at the balance there. We have good policies and standards that, that help us really make good decisions.
[00:02:26] we really view cyber security as not the department of no. It's really about how do we enable the business? How do we partner with them to find solutions that are going to work and, you know, balance the need between security and also the, the availability of care, availability of care is, is really so important.
[00:02:46] Um, just because of a cyber incident or, or some type of, operational disruption like that, you know, patients don't stop having conditions where they need care. Availability is so important. It has to be a balance. So between the different aspects there.
[00:03:02] Blake: Right, I guess that old mantra of, how do you secure a computer by, by turning it off doesn't, doesn't really fly in the healthcare field. That's, you don't want to be turning a lot of these computers off, I suppose. So, let's talk about the software development lifecycle. How do you go about building a software development lifecycle for a hospital?
[00:03:21] Kevin: , so previously I had experience trying to help build security into a product development life cycle at my, in my former company. It was different there in the sense that, you know, it was an engineering company and, we had a lot of well developed structure and process around how we engineer products from start to finish.
[00:03:40] Coming into healthcare, it's a little different. We have, everything from groups with, you know, software engineers, building, you know, world class applications, that we use for patient care. And on the other end of the extreme, we might have a doctor, a researcher who wants to just make a website, to share research data, with the world.
[00:03:58] So it's a little bit different here. We've had to work to try to understand the different groups that are building software and what kind of maturity they have. Work with them to, define a set of processes that are going to scale in both of those directions. So we started with just understanding, like, what are we doing today?
[00:04:17] And when I took on this role about two years ago, , we were more focused on static code analysis. And we started to look at what do our development teams really need here? And the first step was understanding like, how do we start to, have security requirements and privacy requirements, you know, at the first stages of software development.
[00:04:35] So really that, that shift left mentality where we wanted to start to have cybersecurity get involved early. Nobody likes when cyber comes in at the last minute, right? I mean, that's always a bad conversation, everyone's upset, it never goes well, right? Team wants to ship something next week, and then cyber finds out about it, and
[00:04:55] Blake: The department of, the department of no, like you were saying, like, no, no, no, no, no.
[00:04:59] Kevin: Yeah. So, so when I came in this role, I started talking to other directors who have software development activities and saying, listen, we want to get involved early. We want to provide you resources. And in my opinion, requirements and threat modeling are the best place to really start.
[00:05:14] Let's make sure off the bat that, you know, we have the right requirements, security and privacy, both, to make sure that team is successful. So we kind of started there. We brought in some tools to help our teams with that aspect of it, and then continue to help them as they build their code.
[00:05:31] And also, to make sure that, you know, their applications then get when they're published externally, get into, you know, the bug bounty program as well. And so it was really about, understanding where can we help you. I think everyone in healthcare wants to do the right thing.
[00:05:45] There's nobody who doesn't want to support HIPAA, for example. Due to the regulations, it was really about, well, how can we help you get there faster and better and hopefully, you know, more efficiently. So definitely a interesting problem. We had to find ways to kind of scale this to both the more professional development teams as well as maybe, let's say, the more casual development team who wants to publish something.
[00:06:09] Blake: You mentioned HIPAA and obviously compliance is a huge part of the healthcare industry. That's perhaps the most prominent set of regulations. I even forget exactly what it stands for. I'm sure you know it like the back of your hand, but I've heard mixed reviews from practitioners on the impact these kinds of, you know, regulations can actually have on cyber investment.
[00:06:25] Where do you fall?
[00:06:28] Kevin: So I think compliance, obviously, you know, very complex set of requirements. We're also, working with HITRUST, uh, for a lot of our, um, electronic health record systems. Compliance is an important piece, but I really find more value in, at it from a risk, you know, perspective.
[00:06:46] What are the threats that are truly, applicable to us, and how do our defenses, match up to those threats? So for example, I like to go road biking, and I'm always riding past this one house that, has basically like a gate across the driveway, right? But there's like no perimeter fencing around the whole thing.
[00:07:06] So from a compliance perspective, the compliance might say you must have a gate. They have a gate, right? But are they secure? Well, it depends on the threat, right? Are they secure from a car coming in? Maybe. There's trees around and stuff, so maybe you prevent a car from going through. But are they secure from someone walking up to their house?
[00:07:26] No, right? So there's, there's no, entire perimeter fence, to speak of there. So obviously, you know, compliance with requirements, important and we have extensive procedures around that. We also do a lot of pressure testing, right? We, we analyze our threats. We analyze who, you know, is, is attacking healthcare.
[00:07:47] How are they doing it? What kind of tactics and techniques are they using? And make sure that we pressure test our controls, from top to bottom, making sure that we can defend, against those, specific threats. So I think it's a combination. You obviously need to be compliant. Compliancy is a great way to demonstrate to outsiders, you know, where we are.
[00:08:07] But also what are the real threats we're concerned about? How does our real world controls live up to that pressure?
[00:08:13] Blake: And speaking of threats, it seems like ransomware attacks have just really taken off and across multiple sectors, not just healthcare, they've really taken the gloves off. But showing a willingness to target everything from cancer wards to children's hospitals. How do you defend against such a cruel and relentless threat?
[00:08:32] And what trends are you seeing in the ransomware space?
[00:08:35] Kevin: Certainly ransomware continues to be the number one threat we face. Even during COVID, groups were, you know, ratcheting up, attacks against healthcare, against, supply chains, against, uh, you know, vaccine, uh, producers in some ways. certainly it's, it's 24 7 non stop. We definitely, again, feel that pressure, that responsibility, you know, to protect that information because that's what they're going after.
[00:09:01] They're going after, our most sensitive details that our patients, you know, trust us with. Our CEO always says, trust is earned in drips and lost in buckets. A successful attack would be, you know, that buckets or multiple buckets lost in that sense.
[00:09:17] In terms of trends, still a big focus on, you know, fishing. It's still targeting people. Also I see stories of, you know, people getting in through applications or getting in through things on the perimeter where they're able to not necessarily attack that application, but that application can be that gateway, that, that door into the organization and where they can look to pivot, uh, through the organization. Certainly, I think one of the threats too with generative AI, while generative AI is awesome, um, and a lot of potential, also the potential for abuse and for attacks having, you know, I've seen stories around, you know, deep fakes and things like that using generative AI platforms to generate videos and things can, you know, potentially enhance some of those phishing attacks.
[00:10:04] Certainly it's still the number one thing we're, we're focused on. It can be, you know, through people, through applications, and unfortunately being taken advantage of with AI as well.
[00:10:15] Blake: Yeah, well, I know, as I understand it, you sit on the AI task force at Cleveland Clinic. What can you tell me about that? What's coming around the bend there?
[00:10:23] So I think very, very early, we recognized, the potential that artificial intelligence has, uh, for healthcare. It definitely needs to be harnessed and used in, uh, good ways. It definitely has, uh, the potential and, uh, we see already, you know, a number of our caregivers coming up with amazing ideas, to try to utilize, uh, AI, uh, to improve healthcare, to improve outcomes to improve efficiencies.
[00:10:53] Kevin: And of course, in cyber security, looking at how can we use that to get better or improve our own efficiency. So one of my colleagues, Kevin Mooney, who oversees our data governance program, had the idea to start creating an AI task force to start to kind of wrap our arms around the problem. Again, we wanted to have Safe and responsible procedures, but at the same time, we want to enable our clinicians and researchers to use this technology. So we put together a cross functional task force, made up of, of clinical and non clinical roles, several clinicians as well as people like legal, compliance, cyber, and others Where we all kind of look at the proposed, AI project and look at how does it comply with our policies, our standards, does it hit the ethical considerations?
[00:11:45] Is it clinically viable? Which, of course, I have no say in, right? That's not something I can, you know, say. You know, really understand. But then, okay, I have questions around, well, how are you protecting the data, right? How are you going to potentially de identify this data or, you know, make it safe, you know, for us to use it?
[00:12:03] And so it's, it's very, interesting conversations again, seeing kind of the brilliant things our researchers are coming up with. And also, you know, I feel good about, Hey, we, we've got some, some good guardrails in place. I think every institution like us probably needs to think about it that way.
[00:12:20] How do we enable, Research. How do we enable the outcomes? Because there are a lot of great promises and abilities out there but at the same time we still, again, we're a regulated industry. We have to remain compliant with HIPAA and other things, right? So how do we facilitate that for our clinicians, while also staying in favor of those regulations?
[00:12:40] Blake: Definitely. And AI, it's, it's so exciting what's happening with AI in the healthcare space. I know it's neither of our purview as far as like actually digging into the weeds, technically getting it to work in a responsible manner that can be applied to patient care. But you still see some of those amazing leaps and bounds types of progress.
[00:12:55] Like, you talk about the AI hype cycle, I feel like healthcare is actually one of the few areas where there's like, A super legitimate use case of helping doctors diagnose, helping find better patterns and treatment breakthroughs and whatnot that that can definitely be kind of hidden in all those, all those reams of data that you probably have, but yeah, the security piece.
[00:13:13] Kevin: Yeah. Yeah. I mean, I think every, every, uh, I mean, man, I don't know how many times a day I get a message from somebody that, yeah, they're, they're putting AI in their product. Sometimes it doesn't make sense, but I think when it comes in my area for data protection, as well as application protection, there's definitely some, some great possibilities.
[00:13:34] I mean, when you think of data protection machine learning is great at consuming data. Well, guess what? We have tons of data, right? , and so you can start to apply those principles to understand the landscape, understand where are there excessive permissions? Where are there, policy issues with retention?
[00:13:50] We can start to look at how information is being shared. should it be shared externally, right? And I think, these platforms can help us. And then same with app security. I see a lot of potential for Enhancing like our ability to understand our perimeter. I think like many large organizations, it's challenging to understand what are all the applications, what are all the things exposed on your perimeter, what's your attack surface look like, right, externally. And then I think we'll also see AI tools that can help with, you know, pressure testing those applications, looking for, for gaps and maybe augment, you know, security researchers who can, you know, kind of find maybe the more complex things. also helping developers write more secure code.
[00:14:31] Suggesting, you know, fixes to developers. And trying to, you know, maybe a developer who's earlier in their journey and maybe is still learning how to write secure code, can an AI system help with trying to suggest better ways or suggest fixes for vulnerabilities?
[00:14:47] I don't think we're at the point where we'll blindly accept code changes, uh, from a Gen AI platform. But can it be that helper? Can it suggest, hey, maybe there's a more secure approach, you know, to that SQL injection, uh, issue, to help them, you know, off the bat, write more secure code. So, I definitely see a lot of potential for application and for perimeter, and hopefully finding vulnerabilities sooner.
[00:15:09] I mean, I think we all want to find our vulnerabilities sooner or prevent them from getting there, in the first place.
[00:15:14] Blake: Definitely. And since we're talking about coding a little bit here, I wanted to flip back to the software development lifecycle, the SDLC, how does something as wonky sounding is that right for the uninitiated. Connect to patient safety.
[00:15:29] Kevin: Yeah, so many of our applications, you know, directly support care. There are applications that are, used by clinicians, uh, for calculating drug dosages in certain situations, or a lot of times we're building applications that kind of bridge different systems, uh, together.
[00:15:47] Or they could be just our, our main website. Which is allowing people to schedule appointments with providers or find the information that they may need for whatever condition they might have. I look at it as, you know, if we help our teams build. More secure applications were overall improving the resilience of the organization.
[00:16:06] Like I said before, the applications themselves can be a target. And, many of these applications have access to patient health information just by nature of what they do. But also how can this application be an entry point to pivot further into the organization. , so I think application security. is incredibly important in the space. It can be that that way that somebody gets in, that front door that somebody can defeat. And whether it's bringing down an application or, stealing the data from within or pivoting further into the organization, those all directly affect patient safety.
[00:16:44] Again, if these applications aren't available, our patients, you know, will feel the effects or the loss of trust, the reputational harm, if, you know, data was extracted through, uh, one of those attacks.
[00:16:59] Blake: Well, hopefully not. And I'm sure your teams leverage the MITRE ATT& CK framework, ATT& CK with that ampersand in the middle, kind of love it that sort of library of adversary tactics and techniques. If anybody from MITRE happens to be listening to the podcast, which I hope there are a few of them out there what's something that you'd have on your wishlist for, for changing the MITRE ATT& CK tool?
[00:17:21] Kevin: Looking at some of the most recent changes to MITRE ATT& CK, I don't know if I have a specific idea for a change. Just looking at the new version 15 that was released, there's a lot more content around, relevant threat actors more cloud, which my team is also responsible for protecting our cloud workloads more application security content AI tactics and techniques.
[00:17:45] So I think they're doing a really good job of incorporating, new content, into the framework and, and making sure it's relevant and modern and, you know, able to meet our needs. I definitely like how there are decomposing industrial control system in the, variation of the framework.
[00:18:02] I, Spent 18 years in the industrial control space, um, there's a lot of unique challenges and problems, some of which are also in, in healthcare and, uh, they're definitely trying to kind of look at what's the real world attacks, real world incidents, and how can we bring that into the framework, to help organizations understand and then, Again, we, you know, we use a lot of the content in the framework to then pressure test our defenses across the board.
[00:18:28] Blake: That's interesting that you mentioned that ICS connection, because obviously the cyber physical nexus is so important and it's only growing more prominent and more of a, uh, you know, you worked at Rockwell Automation, which might not be a household name, right? But I would posit that it absolutely should be, because its products and technology contribute to all sorts of everyday things.
[00:18:50] Necessities like clean water, access to electricity. What are some of those lessons from your time at Rockwell or just from the industrial control system space writ large that carry over into healthcare?
[00:19:02] Kevin: you know, I came into, you know, coming from that manufacturing background into healthcare and, Initially kind of confuses, like, why, why would they want someone like me, in health care, but, I quickly realized that, hospitals have this incredibly diverse set of, you know, things, of connected things where I kind of look at inner ring is the medical devices that are actually touching a patient and delivering care, like infusion pumps and MRIs and things like that.
[00:19:31] We have systems, HVAC systems that are all connected and HVAC isn't just like a comfort thing, we actually have parameters around delivering care. I mean, you can't perform surgeries if the temperature and humidity is out of range, right, because that, that correlates to infection rates that can happen.
[00:19:52] Lighting systems, elevator systems, emergency systems, you know, parking systems even, you know, Xboxes in the children's hospital, right? To allow them to have, you know, a sense of normalcy as they're staying with us, you know, for care. So, incredibly diverse set of things, uh, in this environment.
[00:20:10] Every type of IoT device is here. Again, availability is king, uh, when it comes to healthcare and in manufacturing. Manufacturing from a cost perspective at any moment of downtime is potentially very expensive. Pharmaceutical manufacturers, if that process gets disrupted, you know, they have to throw away millions of dollars of chemicals because they can't validate the quality of the drug at that point.
[00:20:34] And again, health care, the availability of care, you know, it's nonstop. People need care no matter what's happening at the hospital, uh, at a given time. Health care and many areas that Rockwell served, uh, in the critical infrastructure verticals we're all under attack, you know, for different reasons.
[00:20:53] We all feel that, that pressure back at Rockwell. I was helping pharmaceutical customers, food and beverage, uh, water treatments, electricity you name it, critical sectors that provide, you know, services. And so again, in healthcare, you know, definitely that, that same pressure, uh, that same sort of target on our backs.
[00:21:12] A big change though was moving from the vendor side to the end user side. I used to write a lot of the vulnerability declarations at Rockwell. So if we had a product that was a public vulnerability, CISA and, and get those published and at the time it was very easy to say, hey, you just need to patch your system or you need to update this or, you know, um,
[00:21:34] Blake: Why can't these people patch? What's wrong with them? Sorry, I'm putting words in your mouth there, but yeah.
[00:21:40] Kevin: Yeah, or yeah, you know, hey, just, yeah, just go ahead and patch, how hard can that be, right? and then I, I come to a place like Cleveland Clinic and, you know, for us to patch our infusion pumps, it's like, well, you know, they're still using, like, you know, infrared dongles and, and things.
[00:21:56] We have to get a person to come from the vendor to patch, you know, these devices. Our devices are being used, you know, 24 7. How do you reboot a server? It's patch. How do you restart, you know, these, these applications? Just kind of learning firsthand how incredibly hard it is, you know, for end users to manage security, we're the last of the line.
[00:22:15] There's no one else to kind of transfer. You know, the risk to hospitals across the industry are struggling to get the resources, the tools, you know, for cyber security. A lot of times, I see, you know, people comment about hospitals not spending money on security and not doing enough.
[00:22:33] But I think the reality is right now, especially in healthcare, margins are incredibly thin right now. We're getting hammered with inflation and things. And, you know, hospitals are struggling to find talent to buy tools. I mean, a lot of these cyber tools are very expensive. And so I think hospitals want to do the right thing.
[00:22:52] They all want to protect our patients data and, and, and care and have, you know, positive outcomes. Many hospitals are struggling, you know, to find the resources. They all want to do the right thing, but. Actually getting it done is really, really hard in healthcare.
[00:23:07] Blake: Yeah. And unfortunately, you know, you talk about obviously everybody kind of in this together wanting those positive outcomes, but a few major healthcare organizations have been in the news recently for, for some of the wrong reasons. And, you know, obviously I won't ask you to comment directly on those cases, which have been covered in the media.
[00:23:23] Anybody can find them ad nauseum, but I would be curious to hear how cyber news events actually factor into your day job. Like what's the impact when Cleveland Clinic president and CEO Tom Mihaljevic reads about a healthcare breach and when he's scanning the news headlines, does he call you up and say, Kevin, what are we doing about this?
[00:23:43] Kevin: Yeah, I'm sure he talks to our CISO and has questions wants to, you know, be reassured, you know, that, we're in good standing, that we're protected against that threat or what we're doing, you know, about it. Many of these attacks, we look at what are the tactics and techniques, what are the threat actors that are You know, behind it what kind of things are they doing?
[00:24:06] And then I, as I mentioned, I used to manage our attack surface reduction team, which was, you know, our pen testers and red teamers. And, you know, we'd say, okay, here's the playbook for this new threat actor. How do we, test our controls in a safe way to see, you know, would we detect this attack?
[00:24:23] Would we be able to stop this attack? You know, if it happened in our, uh, organization. There's a lot of great organizations out there too, like HISAC that shares, you know, indicators of, compromise And shares that with all the different healthcare delivery organizations so we can ingest that into, you know, our protective tools.
[00:24:41] So I'd say overall, we, we try to learn, you know, especially if there's like a novel component to, uh, a news story. Or situation, you know, how can we take a look at that ourselves? And, How do we stand up to that? What can we do, you know, to improve our, our stance, our protected state, uh, against those new threats.
[00:25:01] The ransomware groups are continuing to, to look at healthcare so it's a nonstop mission, right. To understand those attacks and measure how we are able to stand up.
[00:25:12] Blake: You told the Dark Rhino Security Podcast last year that quote, people in cyber are not normal people, end quote, which I got to chuckle out of that because it is so true, but you still have to relate to normal people. And try to get normal people to appreciate good security practices and hygiene. So what's your strategy there?
[00:25:31] Kevin: I also would, I guess, kind of liken it to, like, if you talk to an ER doctor, right? I mean, an ER doctor has seen things that would blow away normal people in that sense, right? We're so used to this, you know, we're so used to the, the, the bad news and threat actors attacking us.
[00:25:49] You know, when I talk to nurses or clinicians about some of this stuff. Like they're just kind of blown away, you know, by all this, stuff happening. Ask questions like, are we getting attacked all the time? And, and, you know, I'm like, yeah, absolutely. There's attempts every day, every second.
[00:26:05] So I think it's really important for cyber practitioners and leaders to connect with the quote unquote normal person and explain it in a way that they can understand. If I go to a clinician or a leader in the clinical side and start talking about SQL injection and all these bad things that can happen with SQL injection, buffer overflows, like they're not gonna, they're not gonna connect with that, right?
[00:26:30] But if I go in and talk to them about Here's how it could impact patient safety. Here's how it could impact our data, which is a patient trust factor with us, right? Here's how this system could get taken down and disrupt our imaging processes or our ER systems. Okay, now I get it, right? It's a patient safety issue.
[00:26:51] So I think you always have to find the language. You have to find something that people can relate to, and really help them understand. So some, some leaders, if they're You know, clinical, patient safety tying it to patient safety might be really important if it's more of a business person talking about how this could impact financials, regulatory practices, if it's a lawyer. You really have to find a way to make it approachable.
[00:27:16] And you have to explain why this is important. I feel like you just dive into what you need to do. If I just go to a leader and say, hey, you need to start doing this and start doing that, like, but why? Why do I care? Okay, well, here's an example of an organization that got hit with an application security vulnerability, right?
[00:27:33] Here's how somebody got in. And they disrupted care or patients had to be diverted to a different hospital, which could impact the outcome, right? Outcome of, of that condition. This is what we, we don't want to have happen here, right? And try to get there by and try to help them understand why.
[00:27:49] So it's, it's really a self awareness thing. You have to really understand the audience, understand what, what matters to them the most. How do you, Make it approachable.
[00:27:58] I think it's important to, to show the bad and show what can happen but also really help them understand it in a way that they can approach it.
[00:28:07] Blake: Well, and based on what you said earlier, it does sound like there's CEO level buy in here. I thought, Tom Mihaljevic's quote of trust is, what was it? Gained in drops, lost in buckets, is so apt for the cybersecurity space. I mean, that really says it all. So, well, thank you so much, Kevin, for joining me on the podcast.
[00:28:23] Really fascinating, important discussion. Lots of really interesting work you're doing. There is one question we ask of every guest on the, we're in podcast, which is what's something that we wouldn't know about you, Kevin, just by looking at your LinkedIn profile.
[00:28:38] Kevin: So originally I was going to go to medical school and be a doctor. So when I was in college I was pre med initially and I was kind of walking down that road and I was kind of surrounded by a bunch of guys who were like computer science, computer engineering majors and of got drawn into all the cool stuff that they were doing.
[00:28:56] Ended up changing my major to computer engineering, and then spent 18 years in software engineering and product security at Rockwell, um, and then found myself back in healthcare. And so it was kind of cool to be looking at, I guess, what my original career aspirations were, and then kind of marrying that up with technology and computers that became my second love here.
[00:29:19] I'm humbled to, you know, serve this organization. I'm humbled to, to try to make a difference here. Uh, And it's been really cool to see the computer skills applying into healthcare, which is the area I originally wanted to go into.
[00:29:33] Blake: Come full circle. Well, thanks again, Kevin.
[00:29:35] Kevin: Thanks so much, Blake. Thanks for having me.