HIStalk Interviews Ed Gaudet, CEO, Censinet
Ed Gaudet is founder and CEO of Censinet of Boston, MA.
Tell me about yourself and the company.
I’m a high-tech entrepreneur. I’ve done 11 startups throughout my career, mostly focused on building products and applying technology and automation to solve customer problems. I’ve done cross industry, everything from finance and energy to healthcare. I entered healthcare in 2010 when I joined Imprivata. I took Imprivata into healthcare, drove marketing and products for them, and then built their cloud platform for communications. We eventually took that company public and then private when Thoma Bravo purchased the company in 2016.
I left and attempted retirement, but that didn’t go too well [laughs]. My wife cordially commanded me to go find a job and get off the kitchen table. I started Censinet in September 2017, partnering with investor Keith Figlioli of LRVHealth. We found a syndicate of other investors and launched the company.
Who are your main competitors and what are your differentiators?
I saw while working at Imprivata this requirement to fill out security risk assessments. We used to joke that if you see one assessment, you’ve seen one assessment, because they are all different. They were in different formats, the questions were different, and semantics were different, so it took a lot of time. You could never get really leveraged. When I looked at problems to solve as I was exiting retirement, I kept coming back to this problem. What was interesting to me was looking at all of the alternative solutions that had been out there in the marketplace for probably a decade. Yet the problems — breaches, incidents, and attacks — were getting worse. Whatever we were doing in terms of trying to protect healthcare wasn’t working.
I looked at the problem around risk management in particular. I felt like there was an opportunity to disrupt the market and do something completely different to ultimately move the needle in risk and start to take out risk in healthcare. That was the idea behind it.
Some organizations aren’t what I think of as competition, but they they were providing solutions at the time. They were doing assessments through a combination of technology and services. You had folks like HITRUST with their framework. Then there were a bunch of early-on entrants that were trying to automate the problem through a pipeline approach, a single application, and you couldn’t get leverage.
For example, if Intermountain was using a single application to manage risk, and Cedars-Sinai was using the same application but they weren’t really connected, where’s the leverage? In looking at other markets, technologies, and architectures, I had this epiphany that we should put it on a network. We should think about it as a multi-sided platform. Could we streamline the automation on an exchange, a platform that was connected to the different actors in that process of managing risk information, and ultimately put controls in place to effectively reduce risk over time?
What are healthcare’s risks and how do they compare with those of other industries?
I learned through the Imprivata experience that healthcare is different. It is an ecosystem in and of itself. It’s a large ecosystem. The workflows are different. The requirements are different. The regulations are different. Other competitors or solutions were taking a broad approach to the problem, but I felt like we had to be purpose-built for healthcare. We had to think about the problem through the lens of the CIO and the CISO in healthcare and not worry about other industries, because the problem is so big.
We started with third-party risk. We thought about the vendors and those products and services that they were providing to the health systems. How that could affect risk. At the time, the percentage of third parties that were involved and integrated into the business process of health systems was fairly manageable. But in the past five or 10 years, that percentage has grown exponentially. You’re seeing every business process in a health system directly being run on some type of digital or IT infrastructure or technology.
Cyber risk was mostly in IT problem. Your IT organization would manage the security risk assessments, the process for collecting the data, create the remediations or corrective action plans, and manage that through the business. Cyber risk is now enterprise risk that affects every single department within a healthcare organization. Every business process is affected by cyber risk, because they rely on technology to do their work.
That has made a big impact on our overall strategy and where we’ve taken the product. Where we started with third parties and built the platform, today we have over 34,000 assessed vendors and products in our digital catalog. On the other side of the network, we have over 100 customers across more than 500 facilities. The network is growing, and every new provider we add, every new vendor we add, has a geometric effect. Providers bring new vendors, new vendors bring new vendors and new providers. There’s this flywheel that happens. We get this incredible network effect on our platform, which drives a number of benefits to the participants.
Part of the vision was that if we’re going to solve this problem around risk and around cybersecurity, we have to take a page out of the bad guys’ playbook. If you think about what they’re doing and why they are so effective, they are organized. They have a cyberattack conveyor belt. They have applied manufacturing principles to cyberattacks. They have this concept of micro services, where each person has a certain role that they manage in the attack. It’s not just one person doing the full stack attack. That organization has made them effective and dangerous, yet from an industry perspective, we haven’t come together. The vision for Censinet was a platform to facilitate that ability to drive that leverage and drive the power of the community to protect itself.
Many recent incidents involved business partners or external technology vendors. What do you look for and what do you provide to the organization that engages with you?
Our history from an organizational perspective is third-party risk. We’ve leveraged that into other areas of risk management. When you think about an initial customer implementation, the customer comes on board and they can easily and quickly start sending out assessments in the platform. They’ll search for a particular vendor or product. They will use the platform to send out an invite that vendor and its products into that process. The analogy is where you want to do an assessment on a vendor and its products and you send out any email with a spreadsheet. We’re automating that workflow and sending out an email with a link to the portal.
The vendor fills out the questionnaire, attaches any supporting evidence or documentation to their claims, and it sends it back to the provider. The provider then has full automation capabilities for things like rating and driving corrective actions or remediations automatically, or they can do it manually in the platform and they can generate all their reporting through the platform as well. That end-to-end process, without us, can up to six weeks the first time time a vendor comes on board. Our SLA guarantee is 10 days or less for that full assessment, which is incredible. The next time that vendor gets asked to do an assessment by somebody else in the platform, it’s a click of a button. The network effect continues to drive that value as more people are added to it. It increases over time and it’s exponential.
We are doing not just that facilitation. We are also doing those governance functions. We’re driving the curation of the assessment data, the questionnaires based on the regulations that are ever changing, as well as the corrective actions. If a vendor answers in a certain way and risk is generated, then how do we correctively reduce that risk? What do we put in place to move that risk from a certain inherent risk to a residual risk that we can accept as an organization? We do that all on the platform.
Typically without a platform like ours, you do a point in time, set it and forget it. I’m going to purchase this product, I’m going to do risk, and then maybe I’ll be able to do a reassessment at some point, which nobody ever does. With our system, once you do your initial assessment, you’ve got the data in there. You can automatically set up a reassessment for some time, usually a year later. You can tier that vendor into a critical, high, medium, or low tier, which can drive automation on the back end. You have the ability to periodically and continually assess that vendor and their product or products based on maybe a scope change.
For example, if you just set it and forget it, you miss the ability for risk to appear based on some type of scope change. Blackbaud was a donor management that many health systems used a few years ago. On paper. it seemed like it was low risk. No PHI is going to be on this, so we’ll send it through a low risk assessment process. Users changed the scope of usage, and introduced risk, by putting PHI in the application. Because nobody was looking at it, nobody was continually assessing it, they missed it, and it caused a huge breach issue across a number of health systems.
Having this lifecycle approach is another differentiation that we bring, and an innovation that we bring, to the marketplace. Think about it as a longitudinal record for risk in the same way that the EHR is that longitudinal record of care.
Customers are always faced with the decision of how much they are willing to spend to mitigate whatever risks exist. What framework do they use to evaluate the exposures you call out?
Without a system like this, they are rolling the dice. It’s anyone’s guess. There’s an inability to manage a risk program in a way that can be data driven because the artifacts are scattered. They’re not centrally located, they’re not pulled together, they’re not driven through automation. They might be in emails, spreadsheets, sticky notes, and conversations, so the ability to assess all third parties is difficult without a system like ours.
You have to automate that process. You could have 1,000 vendors with 2,000 products in your environment. You start to apply a solution like ours. Those have to be added to the system. That data has to be captured through maybe a reassessment that can be automatically set, because every day that goes by, someone is buying something new that needs to be assessed.
We often see customers will start with net new vendors and products and quickly realize, wow, we have all these other legacy products that we have three-year contracts with. We need to add them to the system as well. We encourage that, because ultimately you have to understand what that risk is. With a system like Censinet, it doesn’t take a lot of time to do that. There are tools to basically apply tiering to those different vendors and products. Which by the way, people do regardless of whether they have a system or not.
Let’s say they have a handful of products, but they’re doing it manually. What we find is that there’s this tiering that happens a priori before they even do an assessment. They will say, we can’t handle everything, so we’re going to make some judgments. We’re going to stratify artificially these vendors and products into buckets of risk. That’s high, that’s critical, that’s medium, that’s low. But there needs to be a true business impact analysis, where you’re understanding the product and the vendor relationship through the eyes of the business, because ultimately they understand the importance and criticality of that product, not the IT organization.
There’s this real disconnect with the risk management programs that occurs. Everyone thinks they are doing the right thing by doing these assessments, but there needs to be a broader rubric and a strategic lens to apply across the organization when it comes to risk. Because as you said, you otherwise could be spending a lot of money and getting little benefit. We see that all the time. We see organizations throw point tools at the problem and not think through strategically how to manage risk. Not just today, but in the future.
If you take a tool and you apply it to a terrible process, you’re going to get a terrible result. Vice versa, if you have a great process and you apply a terrible tool, you’re going to get terrible returns. If the tool is good, then the tool should inform the process. The leadership team needs to take that into consideration when they bring these things on board, because they are transforming their organization. They should be open to that. They should be willing to change, because ultimately they’re going to have to change to stay in the game. It’s no longer good enough to throw spreadsheets at this problem. You need a better approach, a more strategic approach, that includes the right resources, the right process, and the right product or technology to move the needle on risk.
What will be important to the company over the next three or four years?
When we first started off with third-party risk, our customers would come to us and say, we love what you’re doing with third parties, but we have another dozen or so risk processes, silos if you will, within the organization. For example, Intermountain said, we have institutional review board processes and we do a number of risk assessments, but we do it in a different product. We are holding this thing together and we have people supporting it. Can you consolidate it on your platform?
We’ve been working with our customers to identify those silos of risk and consolidate them on the platform. We’ve added things like IRB and the ability to do enterprise risk, where the health system can assess its own facility, its own operations, using NIST CSF, using the health industry cybersecurity practices, the HICP framework. Those are being recognized as security practices. In the event of an incident, if you an prove that you’re following the NCSF and applying it, or HICP, and there’s some type of event or incident, OCR has to take that in consideration as part of some recent regulation. Public law 116-321 provides — I hate to use the word safe harbor, but effectively it’s a safe harbor – if you do the right thing from an enterprise risk perspective.
We look at M&A transactions, the risk involved with acquiring a new organization, and assessing the risk of that and how you bring that into the platform. If you’re building applications internally or doing integrations, those require assessments as well. You can do that now on the platform. We started off with technical suppliers and technical products, but what about the non-technical suppliers, like a laundry service that may be critical to a health system? The health system is so large that it requires a certain laundry service, and maybe there’s only one that can service them accordingly. What would happen if that laundry service was hit with a cyberattack? That hospital wouldn’t be able to function without laundry.
Elements of suppliers that are non-technical could have huge impacts to health systems. Maybe the organization is thinking about those, maybe they’re not, maybe they’re in a different system. Medical devices typically are being managed through the biomed team, but there should be some connection with the IT team. Why are they doing it in two separate places? Why are they doing it with two separate processes? We are starting to see the consolidation of all these silos of risk on the Censinet platform, which continues to drive down the unit economics for our customers and deliver interesting, unique value.
With this Oracle roll-out in Sweden, and the Epic roll-outs in Denmark, Finland, and Norway, I wonder if anyone has…